Skip to content

Commit

Permalink
Script updating gh-pages from 77d5180. [ci skip]
Browse files Browse the repository at this point in the history
  • Loading branch information
ID Bot committed Mar 18, 2024
1 parent e43ccf3 commit 0f3920f
Show file tree
Hide file tree
Showing 5 changed files with 180 additions and 122 deletions.
142 changes: 84 additions & 58 deletions draft-ietf-lamps-rfc4210bis.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@
adding new general message types, and adding extended key usages to identify
special CMP server authorizations. Introducing CMP version 3 to be used only
for changes to the ASN.1 syntax, which are: support of EnvelopedData instead
of EncryptedValue and hashAlg for indicating a hash AlgorithmIdentifier in
certConf messages.
of EncryptedValue, hashAlg for indicating a hash AlgorithmIdentifier in
certConf messages, and RootCaKeyUpdateContent in ckuann messages.
In addition to the changes specified in CMP Updates RFC 9480 this document
adds support for management of KEM certificates.
Appendix F of this document updates the 2002 ASN.1 module in RFC 5912 Section 9.
" name="description">
<meta content="xml2rfc 3.20.0" name="generator">
<meta content="xml2rfc 3.20.1" name="generator">
<meta content="draft-ietf-lamps-rfc4210bis-latest" name="ietf.draft">
<!-- Generator version information:
xml2rfc 3.20.0
xml2rfc 3.20.1
Python 3.11.8
ConfigArgParse 1.7
google-i18n-address 3.1.0
Expand Down Expand Up @@ -1047,7 +1047,7 @@
</tr></thead>
<tfoot><tr>
<td class="left">Brockhaus, et al.</td>
<td class="center">Expires 9 September 2024</td>
<td class="center">Expires 19 September 2024</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
Expand All @@ -1066,12 +1066,12 @@
<a href="https://www.rfc-editor.org/rfc/rfc5912" class="eref">5912</a> (if approved)</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2024-03-08" class="published">8 March 2024</time>
<time datetime="2024-03-18" class="published">18 March 2024</time>
</dd>
<dt class="label-intended-status">Intended Status:</dt>
<dd class="intended-status">Standards Track</dd>
<dt class="label-expires">Expires:</dt>
<dd class="expires"><time datetime="2024-09-09">9 September 2024</time></dd>
<dd class="expires"><time datetime="2024-09-19">19 September 2024</time></dd>
<dt class="label-authors">Authors:</dt>
<dd class="authors">
<div class="author">
Expand Down Expand Up @@ -1108,8 +1108,8 @@ <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
adding new general message types, and adding extended key usages to identify
special CMP server authorizations. Introducing CMP version 3 to be used only
for changes to the ASN.1 syntax, which are: support of EnvelopedData instead
of EncryptedValue and hashAlg for indicating a hash AlgorithmIdentifier in
certConf messages.<a href="#section-abstract-2" class="pilcrow"></a></p>
of EncryptedValue, hashAlg for indicating a hash AlgorithmIdentifier in
certConf messages, and RootCaKeyUpdateContent in ckuann messages.<a href="#section-abstract-2" class="pilcrow"></a></p>
<p id="section-abstract-3">In addition to the changes specified in CMP Updates RFC 9480 this document
adds support for management of KEM certificates.<a href="#section-abstract-3" class="pilcrow"></a></p>
<p id="section-abstract-4">Appendix F of this document updates the 2002 ASN.1 module in RFC 5912 Section 9.<a href="#section-abstract-4" class="pilcrow"></a></p>
Expand Down Expand Up @@ -1144,7 +1144,7 @@ <h2 id="name-status-of-this-memo">
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow"></a></p>
<p id="section-boilerplate.1-4">
This Internet-Draft will expire on 9 September 2024.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
This Internet-Draft will expire on 19 September 2024.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
</section>
</div>
<div id="copyright">
Expand Down Expand Up @@ -1875,14 +1875,17 @@ <h3 id="name-changes-made-by-this-docume">
<p id="section-1.3-2.5.1">Added support for KEM keys for proof-of-possession to <a href="#sect-4.3" class="auto internal xref">Section 4.3</a> and <a href="#sect-5.2.8" class="auto internal xref">Section 5.2.8</a>, for message protection to <a href="#sect-5.1.1" class="auto internal xref">Section 5.1.1</a>, <a href="#sect-5.1.3.4" class="auto internal xref">Section 5.1.3.4</a>, and <a href="#sect-e" class="auto internal xref">Appendix E</a>, and for usage with CMS EnvelopedData to <a href="#sect-5.2.2" class="auto internal xref">Section 5.2.2</a>.<a href="#section-1.3-2.5.1" class="pilcrow"></a></p>
</li>
<li class="normal" id="section-1.3-2.6">
<p id="section-1.3-2.6.1">Incorporated the request message behavioral clarifications from Appendix
C of <span>[<a href="#RFC4210" class="cite xref">RFC4210</a>]</span> to <a href="#sect-5" class="auto internal xref">Section 5</a>. The definition of altCertTemplate was incorporated into <a href="#sect-5.2.1" class="auto internal xref">Section 5.2.1</a> and the clarification on POPOSigningKey and on POPOPrivKey was incorporated into <a href="#sect-5.2.8" class="auto internal xref">Section 5.2.8</a>.<a href="#section-1.3-2.6.1" class="pilcrow"></a></p>
<p id="section-1.3-2.6.1">Deprecated CAKeyUpdAnnContent in favor of RootCaKeyUpdateContent.<a href="#section-1.3-2.6.1" class="pilcrow"></a></p>
</li>
<li class="normal" id="section-1.3-2.7">
<p id="section-1.3-2.7.1">Added support support for CMS EnvelopedData to different proof-of-possession methods for transferring encrypted private keys, certificates, and challenges to <a href="#sect-5.2.8" class="auto internal xref">Section 5.2.8</a>.<a href="#section-1.3-2.7.1" class="pilcrow"></a></p>
<p id="section-1.3-2.7.1">Incorporated the request message behavioral clarifications from Appendix
C of <span>[<a href="#RFC4210" class="cite xref">RFC4210</a>]</span> to <a href="#sect-5" class="auto internal xref">Section 5</a>. The definition of altCertTemplate was incorporated into <a href="#sect-5.2.1" class="auto internal xref">Section 5.2.1</a> and the clarification on POPOSigningKey and on POPOPrivKey was incorporated into <a href="#sect-5.2.8" class="auto internal xref">Section 5.2.8</a>.<a href="#section-1.3-2.7.1" class="pilcrow"></a></p>
</li>
<li class="normal" id="section-1.3-2.8">
<p id="section-1.3-2.8.1">Added <a href="#sect-8.1" class="auto internal xref">Section 8.1</a>, <a href="#sect-8.5" class="auto internal xref">Section 8.5</a>, <a href="#sect-8.8" class="auto internal xref">Section 8.8</a>, and <a href="#sect-8.11" class="auto internal xref">Section 8.11</a>.<a href="#section-1.3-2.8.1" class="pilcrow"></a></p>
<p id="section-1.3-2.8.1">Added support support for CMS EnvelopedData to different proof-of-possession methods for transferring encrypted private keys, certificates, and challenges to <a href="#sect-5.2.8" class="auto internal xref">Section 5.2.8</a>.<a href="#section-1.3-2.8.1" class="pilcrow"></a></p>
</li>
<li class="normal" id="section-1.3-2.9">
<p id="section-1.3-2.9.1">Added <a href="#sect-8.1" class="auto internal xref">Section 8.1</a>, <a href="#sect-8.5" class="auto internal xref">Section 8.5</a>, <a href="#sect-8.8" class="auto internal xref">Section 8.8</a>, and <a href="#sect-8.11" class="auto internal xref">Section 8.11</a>.<a href="#section-1.3-2.9.1" class="pilcrow"></a></p>
</li>
</ul>
</section>
Expand Down Expand Up @@ -2775,7 +2778,7 @@ <h4 id="name-ca-operator-actions">
</li>
<li id="section-4.4.1-2.5">
<p id="section-4.4.1-2.5.1">Publish these new certificates via the repository and/or other
means (perhaps using a CAKeyUpdAnn message or RootCaKeyUpdateContent);<a href="#section-4.4.1-2.5.1" class="pilcrow"></a></p>
means (perhaps using a ckuann message or RootCaKeyUpdateContent);<a href="#section-4.4.1-2.5.1" class="pilcrow"></a></p>
</li>
<li id="section-4.4.1-2.6">
<p id="section-4.4.1-2.6.1">Export the new CA public key so that end entities may acquire it
Expand Down Expand Up @@ -3278,33 +3281,33 @@ <h4 id="name-pki-message-body">
<div class="lang-asn.1 sourcecode" id="section-5.1.2-1">
<pre>
PKIBody ::= CHOICE {
ir [0] CertReqMessages, --Initialization Req
ip [1] CertRepMessage, --Initialization Resp
cr [2] CertReqMessages, --Certification Req
cp [3] CertRepMessage, --Certification Resp
p10cr [4] CertificationRequest, --PKCS #10 Cert. Req.
popdecc [5] POPODecKeyChallContent --pop Challenge
popdecr [6] POPODecKeyRespContent, --pop Response
kur [7] CertReqMessages, --Key Update Request
kup [8] CertRepMessage, --Key Update Response
krr [9] CertReqMessages, --Key Recovery Req
krp [10] KeyRecRepContent, --Key Recovery Resp
rr [11] RevReqContent, --Revocation Request
rp [12] RevRepContent, --Revocation Response
ccr [13] CertReqMessages, --Cross-Cert. Request
ccp [14] CertRepMessage, --Cross-Cert. Resp
ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann.
cann [16] CertAnnContent, --Certificate Ann.
rann [17] RevAnnContent, --Revocation Ann.
crlann [18] CRLAnnContent, --CRL Announcement
pkiconf [19] PKIConfirmContent, --Confirmation
nested [20] NestedMessageContent, --Nested Message
genm [21] GenMsgContent, --General Message
genp [22] GenRepContent, --General Response
error [23] ErrorMsgContent, --Error Message
certConf [24] CertConfirmContent, --Certificate Confirm
pollReq [25] PollReqContent, --Polling Request
pollRep [26] PollRepContent --Polling Response
ir [0] CertReqMessages, --Initialization Req
ip [1] CertRepMessage, --Initialization Resp
cr [2] CertReqMessages, --Certification Req
cp [3] CertRepMessage, --Certification Resp
p10cr [4] CertificationRequest, --PKCS #10 Cert. Req.
popdecc [5] POPODecKeyChallContent, --pop Challenge
popdecr [6] POPODecKeyRespContent, --pop Response
kur [7] CertReqMessages, --Key Update Request
kup [8] CertRepMessage, --Key Update Response
krr [9] CertReqMessages, --Key Recovery Req
krp [10] KeyRecRepContent, --Key Recovery Resp
rr [11] RevReqContent, --Revocation Request
rp [12] RevRepContent, --Revocation Response
ccr [13] CertReqMessages, --Cross-Cert. Request
ccp [14] CertRepMessage, --Cross-Cert. Resp
ckuann [15] CAKeyUpdContent, --CA Key Update Ann.
cann [16] CertAnnContent, --Certificate Ann.
rann [17] RevAnnContent, --Revocation Ann.
crlann [18] CRLAnnContent, --CRL Announcement
pkiconf [19] PKIConfirmContent, --Confirmation
nested [20] NestedMessageContent, --Nested Message
genm [21] GenMsgContent, --General Message
genp [22] GenRepContent, --General Response
error [23] ErrorMsgContent, --Error Message
certConf [24] CertConfirmContent, --Certificate Confirm
pollReq [25] PollReqContent, --Polling Request
pollRep [26] PollRepContent --Polling Response
}
</pre><a href="#section-5.1.2-1" class="pilcrow"></a>
</div>
Expand Down Expand Up @@ -4412,13 +4415,20 @@ <h4 id="name-ca-key-update-announcement-">
be used to announce this event.<a href="#section-5.3.13-1" class="pilcrow"></a></p>
<div class="lang-asn.1 sourcecode" id="section-5.3.13-2">
<pre>
CAKeyUpdAnnContent ::= SEQUENCE {
oldWithNew Certificate,
newWithOld Certificate,
newWithNew Certificate
RootCaKeyUpdateContent ::= SEQUENCE {
newWithNew CMPCertificate,
newWithOld [0] CMPCertificate OPTIONAL,
oldWithNew [1] CMPCertificate OPTIONAL
}

CAKeyUpdContent ::= CHOICE {
cAKeyUpdAnnV2 CAKeyUpdAnnContent, -- deprecated
cAKeyUpdAnnV3 [0] RootCaKeyUpdateContent
}
</pre><a href="#section-5.3.13-2" class="pilcrow"></a>
</div>
<p id="section-5.3.13-3">To indicate support for RootCaKeyUpdateContent in the ckuann message, the pvno cmp2021 <span class="bcp14">MUST</span> be used. Details on the usage of the protocol version number (pvno) are described in Section 7.<a href="#section-5.3.13-3" class="pilcrow"></a></p>
<p id="section-5.3.13-4">In contrast to CAKeyUpdAnnContent as supported with cmp2000, RootCaKeyUpdateContent offers omitting newWithOld and oldWithNew, depending on the needs of the EE.<a href="#section-5.3.13-4" class="pilcrow"></a></p>
</section>
</div>
<div id="sect-5.3.14">
Expand Down Expand Up @@ -4639,9 +4649,10 @@ <h5 id="name-updated-ca-key-pair">
<p id="section-5.3.19.5-1">This <span class="bcp14">MAY</span> be used by the CA to announce a CA key update event.<a href="#section-5.3.19.5-1" class="pilcrow"></a></p>
<div class="alignLeft art-text artwork" id="section-5.3.19.5-2">
<pre>
GenMsg: {id-it 5}, CAKeyUpdAnnContent
GenMsg: {id-it 18}, RootCaKeyUpdateValue
</pre><a href="#section-5.3.19.5-2" class="pilcrow"></a>
</div>
<p id="section-5.3.19.5-3">See <a href="#sect-5.3.13" class="auto internal xref">Section 5.3.13</a> for details of CA key update announcements.<a href="#section-5.3.19.5-3" class="pilcrow"></a></p>
</section>
</div>
<div id="sect-5.3.19.6">
Expand Down Expand Up @@ -4784,7 +4795,7 @@ <h5 id="name-root-ca-update">
<div class="alignLeft art-text artwork" id="section-5.3.19.15-3">
<pre>
GenMsg: {id-it 20}, RootCaCertValue | &lt; absent &gt;
GenRep: {id-it 18}, RootCaKeyUpdateContent | &lt; absent &gt;
GenRep: {id-it 18}, RootCaKeyUpdateValue | &lt; absent &gt;
</pre><a href="#section-5.3.19.15-3" class="pilcrow"></a>
</div>
<div class="lang-asn.1 sourcecode" id="section-5.3.19.15-4">
Expand All @@ -4800,8 +4811,9 @@ <h5 id="name-root-ca-update">
}
</pre><a href="#section-5.3.19.15-4" class="pilcrow"></a>
</div>
<p id="section-5.3.19.15-5">Note: In contrast to CAKeyUpdAnnContent, this type offers omitting newWithOld
and oldWithNew in the GenRep message, depending on the needs of the EE.<a href="#section-5.3.19.15-5" class="pilcrow"></a></p>
<p id="section-5.3.19.15-5">Note: In contrast to CAKeyUpdAnnContent (which was deprecated with pvno cmp2021),
RootCaKeyUpdateContent offers omitting newWithOld and oldWithNew,
depending on the needs of the EE.<a href="#section-5.3.19.15-5" class="pilcrow"></a></p>
</section>
</div>
<div id="sect-5.3.19.16">
Expand Down Expand Up @@ -5457,7 +5469,7 @@ <h2 id="name-version-negotiation">
<p id="section-7-3">Note: Using cmp2000 as the default pvno is done to avoid extra message exchanges
for version negotiation and to foster compatibility with cmp2000 implementations.
Version cmp2021 syntax is only needed if a message exchange uses hashAlg
(in CertStatus) or EnvelopedData.<a href="#section-7-3" class="pilcrow"></a></p>
(in CertStatus), EnvelopedData, or ckuann with RootCaKeyUpdateContent.<a href="#section-7-3" class="pilcrow"></a></p>
<p id="section-7-4">If a server receives a message with a version that it supports, then
the version of the response message <span class="bcp14">MUST</span> be the same as the received
version. If a server receives a message with a version higher or
Expand Down Expand Up @@ -6699,10 +6711,10 @@ <h3 id="name-root-ca-key-update-3">
Field Value Comment
--------------------------------------------------------------
sender CA name CA name
body ckuann(CAKeyUpdAnnContent)
oldWithNew present see Appendix D.3 above
newWithOld present see Appendix D.3 above
body ckuann(RootCaKeyUpdateContent)
newWithNew present see Appendix D.3 above
newWithOld optionally present see Appendix D.3 above
oldWithNew optionally present see Appendix D.3 above
extraCerts optionally present can be used to "publish"
certificates (e.g.,
certificates signed using
Expand Down Expand Up @@ -6787,9 +6799,11 @@ <h3 id="name-pki-information-request-res">
value
-- the symmetric algorithm that this CA expects to be used
-- in later PKI messages (for encryption)
CAKeyUpdateInfo optionally present, with
RootCaKeyUpdate optionally present, with
relevant value
-- the CA MAY provide information about a relevant root CA
-- Use RootCaKeyUpdate; if backward compatibility with cmp2000 is
-- required, use CAKeyUpdateInfo.
-- The CA MAY provide information about a relevant root CA
-- key pair using this field (note that this does not imply
-- that the responding CA is the root CA in question)
CurrentCRL optionally present, with relevant value
Expand Down Expand Up @@ -7341,7 +7355,7 @@ <h2 id="name-compilable-asn1-definitions">
rp [12] RevRepContent, --Revocation Response
ccr [13] CertReqMessages, --Cross-Cert. Request
ccp [14] CertRepMessage, --Cross-Cert. Response
ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann.
ckuann [15] CAKeyUpdContent, --CA Key Update Ann.
cann [16] CertAnnContent, --Certificate Ann.
rann [17] RevAnnContent, --Revocation Ann.
crlann [18] CRLAnnContent, --CRL Announcement
Expand Down Expand Up @@ -7635,6 +7649,14 @@ <h2 id="name-compilable-asn1-definitions">
newWithNew CMPCertificate -- new pub signed with new priv
}

-- CAKeyUpdContent was added in [RFCXXXX]
CAKeyUpdContent ::= CHOICE {
cAKeyUpdAnnV2 CAKeyUpdAnnContent, -- deprecated
cAKeyUpdAnnV3 [0] RootCaKeyUpdateContent
}
-- With cmp2021 the use of CAKeyUpdAnnContent is deprecated , use
-- RootCaKeyUpdateContent instead.

CertAnnContent ::= CMPCertificate

RevAnnContent ::= SEQUENCE {
Expand Down Expand Up @@ -7765,6 +7787,7 @@ <h2 id="name-compilable-asn1-definitions">
-- PreferredSymmAlgValue ::= AlgorithmIdentifier{{...}}
-- id-it-caKeyUpdateInfo OBJECT IDENTIFIER ::= {id-it 5}
-- CAKeyUpdateInfoValue ::= CAKeyUpdAnnContent
-- - id-it-caKeyUpdateInfo was deprecated with cmp2021
-- id-it-currentCRL OBJECT IDENTIFIER ::= {id-it 6}
-- CurrentCRLValue ::= CertificateList
-- id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7}
Expand Down Expand Up @@ -7902,7 +7925,10 @@ <h2 id="name-history-of-changes">
<p id="appendix-G-2">From version 08 -&gt; 09:<a href="#appendix-G-2" class="pilcrow"></a></p>
<ul class="normal">
<li class="normal" id="appendix-G-3.1">
<p id="appendix-G-3.1.1">Deleting an obsolete sentence in Section 8.8<a href="#appendix-G-3.1.1" class="pilcrow"></a></p>
<p id="appendix-G-3.1.1">Deprecated CAKeyUpdAnnContent in favor of RootCaKeyUpdateContent in CMP V3 as proposed by Tomas<a href="#appendix-G-3.1.1" class="pilcrow"></a></p>
</li>
<li class="normal" id="appendix-G-3.2">
<p id="appendix-G-3.2.1">Deleted an obsolete sentence in Section 8.8<a href="#appendix-G-3.2.1" class="pilcrow"></a></p>
</li>
</ul>
<p id="appendix-G-4">From version 07 -&gt; 08:<a href="#appendix-G-4" class="pilcrow"></a></p>
Expand Down
Loading

0 comments on commit 0f3920f

Please sign in to comment.