Internet X.509 Public Key Infrastructure Certificate Management Protocols

RequestforComments:2510Category:StandardsTrack

C.Adams

EntrustTechnologies

S.Farrell

SSE

March1999

InternetX.509PublicKeyInfrastructureCertificateManagementProtocols

StatusofthisMemo:

ThisdocumentspecifiesanInternetstandardstrackprotocolfortheInternetcommunity,andrequestsdiscussionandsuggestionsforimprovements.Pleaserefertothecurrenteditionofthe”InternetOfficialProtocolStandards”(STD1)forthestandardizationstateandstatusofthisprotocol.Distributionofthismemoisunlimited.CopyrightNotice:

Copyright(C)TheInternetSociety(1998).AllRightsReserved.

Abstract:

ThisdocumentdescribestheInternetX.509PublicKeyInfrastructure(PKI)CertificateManagementProtocols.Protocolmessagesaredefinedforallrelevantaspectsofcertificatecreationandmanagement.Notethat”certificate”inthisdocumentreferstoanX.509v3Certificateasdefinedin[COR95,X509-AM].

Thekeywords”MUST”,”MUSTNOT”,”REQUIRED”,”SHOULD”,”SHOULDNOT”,”RECOMMENDED”,”MAY”,and”OPTIONAL”inthisdocument(inuppercase,asshown)aretobeinterpretedasdescribedin[RFC2119].

Contents

1PKIManagementOverview

1.1PKIManagementModel....1.2DefinitionsofPKIEntities...

1.2.1CertificationAuthority.1.2.2RegistrationAuthority.1.3PKIManagementRequirements

.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

11122255666788889911

2Assumptionsandrestrictions

2.1Endentityinitialization..........2.2Initialregistration/certification......

2.2.1Criteriaused...........2.2.2Mandatoryschemes.......2.3ProofofPossession(POP)ofPrivateKey

2.3.1SignatureKeys..........2.3.2EncryptionKeys.........2.3.3KeyAgreementKeys.......2.4RootCAkeyupdate............

2.4.1CAOperatoractions.......2.4.2VerifyingCertificates.......2.4.3Revocation-ChangeofCAkey.

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)i

3DataStructures

3.1OverallPKIMessage......................

.....................3.1.1PKIMessageHeader.......................................3.1.2PKIMessageBody........................................3.1.3PKIMessageProtection.....................................3.2CommonDataStructures....................

.....................3.2.1RequestedCertificateContents..................................3.2.2EncryptedValues.........................................3.2.3StatuscodesandFailureInformationforPKImessages.....................3.2.4CertificateIdentification.....................................3.2.5”Out-of-band”rootCApublickey...............................3.2.6ArchiveOptions.........................................3.2.7PublicationInformation.....................................3.2.8Proof-of-PossessionStructures..................................3.3Operation-SpecificDataStructures...............

.....................3.3.1InitializationRequest.......................................3.3.2InitializationResponse......................................3.3.3Registration/CertificationRequest................................3.3.4Registration/CertificationResponse...............................3.3.5Keyupdaterequestcontent....................................3.3.6KeyUpdateresponsecontent...................................3.3.7KeyRecoveryRequestcontent..................................3.3.8Keyrecoveryresponsecontent..................................3.3.9RevocationRequestContent...................................3.3.10RevocationResponseContent..................................3.3.11Crosscertificationrequestcontent................................3.3.12Crosscertificationresponsecontent...............................3.3.13CAKeyUpdateAnnouncementcontent.............................3.3.14CertificateAnnouncement....................................3.3.15RevocationAnnouncement....................................3.3.16CRLAnnouncement.......................................3.3.17PKIConfirmationcontent....................................3.3.18PKIGeneralMessagecontent..................................3.3.19PKIGeneralResponsecontent..................................3.3.20ErrorMessagecontent......................................4MandatoryPKIManagementfunctions

4.1RootCAinitialization...........................................4.2RootCAkeyupdate............................................4.3SubordinateCAinitialization.......................................4.4CRLproduction..............................................4.5PKIinformationrequest.........................................4.6Crosscertification.................

............................4.6.1One-wayrequest-responsescheme:...............................4.6.2Endentityinitialization......................................4.6.3AcquisitionofPKIinformation.................................4.6.4Out-of-BandVerificationofRoot-CAKey............................4.7CertificateRequest............................................4.8KeyUpdate................................................5Transports

5.1Filebasedprotocol............................................5.2DirectTCP-BasedManagementProtocol................................5.3ManagementProtocolviaE-mail.....................................5.4ManagementProtocolviaHTTP.....

...........

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)1111121313151515151617171717191919192020212121212122222222222223232323232424242424242425252526262626262727

ii

6SECURITYCONSIDERATIONS

Bibliography7Acknowledgements8Authors’Addresses

AReasonsforthepresenceofRAs

BPKIManagementMessageProfiles.

B.1GeneralRulesforinterpretationoftheseprofiles.............................B.2AlgorithmUseProfile...........................................B.3”Self-signed”certificates.........................................B.4ProofofPossessionProfile........................................B.5RootCAKeyUpdate...........................................B.6PKIInformationrequest/response....................................B.7Crosscertificationrequest/response(1-way)...............................B.8InitialRegistration/Certification(BasicAuthenticatedScheme).....................B.9CertificateRequest............................................B.10KeyUpdateRequest...........................................

C”Compilable”ASN.1Moduleusing1988SyntaxDRegistrationofMIMETypeforSection5

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)272828282929303031313232343740414148

iii

Introduction

Thelayoutofthisdocumentisasfollows:

-Section1containsanoverviewofPKImanagement;-Section2containsdiscussionofassumptionsandrestrictions;-Section3containsdatastructuresusedforPKImanagementmessages;

-Section4definesthefunctionsthataretobecarriedoutinPKImanagementbyconformingimplementations;-Section5describesasimpleprotocolfortransportingPKImessages;

-theAppendicesspecifyprofilesforconformingimplementationsandprovideanASN.1modulecontainingthesyntaxforallmessagesdefinedinthisspecification.

1PKIManagementOverview

ThePKImustbestructuredtobeconsistentwiththetypesofindividualswhomustadministerit.Providingsuchadministratorswithunboundedchoicesnotonlycomplicatesthesoftwarerequiredbutalsoincreasesthechancesthatasubtlemistakebyanadministratororsoftwaredeveloperwillresultinbroadercompromise.Similarly,restrictingadministratorswithcumbersomemechanismswillcausethemnottousethePKI.

ManagementprotocolsareREQUIREDtosupporton-lineinteractionsbetweenPublicKeyInfrastructure(PKI)components.Forexample,amanagementprotocolmightbeusedbetweenaCertificationAuthority(CA)andaclientsystemwithwhichakeypairisassociated,orbetweentwoCAsthatissuecross-certificatesforeachother.

1.1PKIManagementModel

BeforespecifyingparticularmessageformatsandprocedureswefirstdefinetheentitiesinvolvedinPKImanagementandtheirinteractions(intermsofthePKImanagementfunctionsrequired).Wethengroupthesefunctionsinordertoaccommodatedifferentidentifiabletypesofendentities.

1.2DefinitionsofPKIEntities

TheentitiesinvolvedinPKImanagementincludetheendentity(i.e.,theentitytobenamedinthesubjectfieldofacertificate)andthecertificationauthority(i.e.,theentitynamedintheissuerfieldofacertificate).AregistrationauthorityMAYalsobeinvolvedinPKImanagement.

1.2.1SubjectsandEndEntities

Theterm”subject”isusedheretorefertotheentitynamedinthesubjectfieldofacertificate;whenwewishtodistinguishthetoolsand/orsoftwareusedbythesubject(e.g.,alocalcertificatemanagementmodule)wewillusetheterm”subjectequipment”.Ingeneral,theterm”endentity”(EE)ratherthansubjectispreferredinordertoavoidconfusionwiththefieldname.

Itisimportanttonotethattheendentitiesherewillincludenotonlyhumanusersofapplications,butalsoappli-cationsthemselves(e.g.,forIPsecurity).ThisfactorinfluencestheprotocolswhichthePKImanagementoperationsuse;forexample,applicationsoftwareisfarmorelikelytoknowexactlywhichcertificateextensionsarerequiredthanarehumanusers.PKImanagemententitiesarealsoendentitiesinthesensethattheyaresometimesnamedinthesubjectfieldofacertificateorcross-certificate.Whereappropriate,theterm”end-entity”willbeusedtorefertoendentitieswhoarenotPKImanagemententities.

Allendentitiesrequiresecurelocalaccesstosomeinformation–ataminimum,theirownnameandprivatekey,thenameofaCAwhichisdirectlytrustedbythisentityandthatCA’spublickey(orafingerprintofthepublickeywhereaself-certifiedversionisavailableelsewhere).ImplementationsMAYusesecurelocalstorageformorethanthisminimum(e.g.,theendentity’sowncertificateorapplication-specificinformation).Theformofstoragewillalsovary–fromfilestotamper-resistantcryptographictokens.Suchlocaltrustedstorageisreferredtohereastheendentity’sPersonalSecurityEnvironment(PSE).

ThoughPSEformatsarebeyondthescopeofthisdocument(theyareverydependentonequipment,etcetera),agenericinterchangeformatforPSEsisdefinedhere-acertificationresponsemessageMAYbeused.convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

1

1.2.1CertificationAuthority

Thecertificationauthority(CA)mayormaynotactuallybeareal”thirdparty”fromtheendentity’spointofview.Quiteoften,theCAwillactuallybelongtothesameorganizationastheendentitiesitsupports.

Again,weusethetermCAtorefertotheentitynamedintheissuerfieldofacertificate;whenitisnecessarytodistinguishthesoftwareorhardwaretoolsusedbytheCAweusetheterm”CAequipment”.

TheCAequipmentwilloftenincludebothan”off-line”componentandan”on-line”component,withtheCAprivatekeyonlyavailabletothe”off-line”component.Thisis,however,amatterforimplementers(thoughitisalsorelevantasapolicyissue).

Weusetheterm”rootCA”toindicateaCAthatisdirectlytrustedbyanendentity;thatis,securelyacquiringthevalueofarootCApublickeyrequiressomeout-of-bandstep(s).ThistermisnotmeanttoimplythatarootCAisnecessarilyatthetopofanyhierarchy,simplythattheCAinquestionistrusteddirectly.

A”subordinateCA”isonethatisnotarootCAfortheendentityinquestion.Often,asubordinateCAwillnotbearootCAforanyentitybutthisisnotmandatory.1.2.2RegistrationAuthority

Inadditiontoend-entitiesandCAs,manyenvironmentscallfortheexistenceofaRegistrationAuthority(RA)separatefromtheCertificationAuthority.ThefunctionswhichtheregistrationauthoritymaycarryoutwillvaryfromcasetocasebutMAYincludepersonalauthentication,tokendistribution,revocationreporting,nameassignment,keygeneration,archivalofkeypairs,etcetera.

ThisdocumentviewstheRAasanOPTIONALcomponent-whenitisnotpresenttheCAisassumedtobeabletocarryouttheRA’sfunctionssothatthePKImanagementprotocolsarethesamefromtheend-entity’spointofview.

Again,wedistinguish,wherenecessary,betweentheRAandthetoolsused(the”RAequipment”).

NotethatanRAisitselfanendentity.WefurtherassumethatallRAsareinfactcertifiedendentitiesandthatRAshaveprivatekeysthatareusableforsigning.HowaparticularCAequipmentidentifiessomeendentitiesasRAsisanimplementationissue(i.e.,thisdocumentspecifiesnospecialRAcertificationoperation).WedonotmandatethattheRAiscertifiedbytheCAwithwhichitisinteractingatthemoment(sooneRAmayworkwithmorethanoneCAwhilstonlybeingcertifiedonce).

InsomecircumstancesendentitieswillcommunicatedirectlywithaCAevenwhereanRAispresent.Forexample,forinitialregistrationand/orcertificationthesubjectmayuseitsRA,butcommunicatedirectlywiththeCAinordertorefreshitscertificate.

1.3PKIManagementRequirements

TheprotocolsgivenheremeetthefollowingrequirementsonPKImanagement.

1.PKImanagementmustconformtotheISO9594-8standardandtheassociatedamendments(certificateexten-sions)2.PKImanagementmustconformtotheotherpartsofthisseries.

3.Itmustbepossibletoregularlyupdateanykeypairwithoutaffectinganyotherkeypair.

4.TheuseofconfidentialityinPKImanagementprotocolsmustbekepttoaminimuminordertoeaseregulatoryproblems.5.PKImanagementprotocolsmustallowtheuseofdifferentindustry-standardcryptographicalgorithms,(specif-icallyincludingRSA,DSA,MD5,SHA-1)–thismeansthatanygivenCA,RA,orendentitymay,inprinciple,usewhicheveralgorithmssuititforitsownkeypair(s).6.PKImanagementprotocolsmustnotprecludethegenerationofkeypairsbytheend-entityconcerned,byanRA,orbyaCA–keygenerationmayalsooccurelsewhere,butforthepurposesofPKImanagementwecanregardkeygenerationasoccurringwhereverthekeyisfirstpresentatanendentity,RA,orCA.7.PKImanagementprotocolsmustsupportthepublicationofcertificatesbytheend-entityconcerned,byanRA,orbyaCA.Differentimplementationsanddifferentenvironmentsmaychooseanyoftheaboveapproaches.

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)2

8.PKImanagementprotocolsmustsupporttheproductionofCertificateRevocationLists(CRLs)byallowingcertifiedendentitiestomakerequestsfortherevocationofcertificates-thismustbedoneinsuchawaythatthedenial-of-serviceattackswhicharepossiblearenotmadesimpler.9.PKImanagementprotocolsmustbeusableoveravarietyof”transport”mechanisms,specificallyincludingmail,http,TCP/IPandftp.10.FinalauthorityforcertificationcreationrestswiththeCA;noRAorend-entityequipmentcanassumethatany

certificateissuedbyaCAwillcontainwhatwasrequested–aCAmayaltercertificatefieldvaluesormayadd,deleteoralterextensionsaccordingtoitsoperatingpolicy.Inotherwords,allPKIentities(end-entities,RAs,andCAs)mustbecapableofhandlingresponsestorequestsforcertificatesinwhichtheactualcertificateissuedisdifferentfromthatrequested(forexample,aCAmayshortenthevalidityperiodrequested).NotethatpolicymaydictatethattheCAmustnotpublishorotherwisedistributethecertificateuntiltherequestingentityhasreviewedandacceptedthenewly-createdcertificate(typicallythroughuseofthePKIConfirmmessage).11.Agraceful,scheduledchange-overfromonenon-compromisedCAkeypairtothenext(CAkeyupdate)must

besupported(notethatiftheCAkeyiscompromised,re-initializationmustbeperformedforallentitiesinthedomainofthatCA).AnendentitywhosePSEcontainsthenewCApublickey(followingaCAkeyupdate)mustalsobeabletoverifycertificatesverifiableusingtheoldpublickey.EndentitieswhodirectlytrusttheoldCAkeypairmustalsobeabletoverifycertificatessignedusingthenewCAprivatekey.(RequiredforsituationswheretheoldCApublickeyis”hardwired”intotheendentity’scryptographicequipment).12.TheFunctionsofanRAmay,insomeimplementationsorenvironments,becarriedoutbytheCAitself.The

protocolsmustbedesignedsothatendentitieswillusethesameprotocol(but,ofcourse,notthesamekey!)regardlessofwhetherthecommunicationiswithanRAorCA.13.Whereanendentityrequestsacertificatecontainingagivenpublickeyvalue,theendentitymustbereadyto

demonstratepossessionofthecorrespondingprivatekeyvalue.Thismaybeaccomplishedinvariousways,dependingonthetypeofcertificationrequest.SeeSection2.3,”ProofofPossessionofPrivateKey”,fordetailsofthein-bandmethodsdefinedforthePKIX-CMP(i.e.,CertificateManagementProtocol)messages.PKIManagementOperations

ThefollowingdiagramshowstherelationshipbetweentheentitiesdefinedaboveintermsofthePKImanagementoperations.Thelettersinthediagramindicate”protocols”inthesensethatadefinedsetofPKImanagementmessagescanbesentalongeachoftheletteredlines.

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)3

+---+cert.publish+------------+j||<---------------------|EndEntity|<-------|C|g+------------+\"out-of-band\"|||ˆloading|e|||initial|r|a||bregistration/|t|||certification||||keypairrecovery|/|||keypairupdate||||certificateupdate|C|PKI\"USERS\"V|revocationrequest

|R|-------------------+-+-----+-+------+-+-------------------|L|PKIMANAGEMENT|ˆ|ˆ||ENTITIESa||ba||b||V||||R|g+------+d|||e|<------------|RA|<-----+|||p|cert.||----+||||o|publish+------+c|||||s||||||i|V|V||t|g+------------+i|o|<------------------------|CA|------->|r|h+------------+\"out-of-band\"|y|cert.publish|ˆpublication||CRLpublish||+---+||cross-certification

e||fcross-certificate||update||V|+------+|CA-2|+------+

Figure1-PKIEntities

Atahighlevelthesetofoperationsforwhichmanagementmessagesaredefinedcanbegroupedasfollows.1.CAestablishment:WhenestablishinganewCA,certainstepsarerequired(e.g.,productionofinitialCRLs,exportofCApublickey).2.Endentityinitialization:thisincludesimportingarootCApublickeyandrequestinginformationabouttheoptionssupportedbyaPKImanagemententity.3.Certification:variousoperationsresultinthecreationofnewcertificates:

(a)initialregistration/certification:Thisistheprocesswherebyanendentityfirstmakesitselfknowntoa

CAorRA,priortotheCAissuingacertificateorcertificatesforthatendentity.Theendresultofthisprocess(whenitissuccessful)isthataCAissuesacertificateforanendentity’spublickey,andreturnsthatcertificatetotheendentityand/orpoststhatcertificateinapublicrepository.Thisprocessmay,andtypicallywill,involvemultiple”steps”,possiblyincludinganinitializationoftheendentity’sequipment.Forexample,theendentity’sequipmentmustbesecurelyinitializedwiththepublickeyofaCA,tobeusedinvalidatingcertificatepaths.Furthermore,anendentitytypicallyneedstobeinitializedwithitsownkeypair(s).(b)keypairupdate:Everykeypairneedstobeupdatedregularly(i.e.,replacedwithanewkeypair),anda

newcertificateneedstobeissued.

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

4

(c)certificateupdate:Ascertificatesexpiretheymaybe”refreshed”ifnothingrelevantintheenvironment

haschanged.

(d)CAkeypairupdate:Aswithendentities,CAkeypairsneedtobeupdatedregularly;however,different

mechanismsarerequired.

(e)cross-certificationrequest:OneCArequestsissuanceofacross-certificatefromanotherCA.Forthepur-posesofthisstandard,thefollowingtermsaredefined.A”cross-certificate”isacertificateinwhichthesubjectCAandtheissuerCAaredistinctandSubjectPublicKeyInfocontainsaverificationkey(i.e.,thecertificatehasbeenissuedforthesubjectCA’ssigningkeypair).Whenitisnecessarytodistinguishmorefinely,thefollowingtermsmaybeused:across-certificateiscalledan”inter-domaincross-certificate”ifthesubjectandissuerCAsbelongtodifferentadministrativedomains;itiscalledan”intra-domaincross-certificate”otherwise.Notes:

Note1.Theabovedefinitionof”cross-certificate”alignswiththedefinedterm”CA-certificate”inX.509.NotethatthistermisnottobeconfusedwiththeX.500”cACertificate”attributetype,whichisunrelated.Note2.Inmanyenvironmentstheterm”cross-certificate”,unlessfurtherqualified,willbeunderstoodtobesynonymouswith”inter-domaincross-certificate”asdefinedabove.

Note3.Issuanceofcross-certificatesmaybe,butisnotnecessarily,mutual;thatis,twoCAsmayissuecross-certificatesforeachother.

(f)cross-certificateupdate:Similartoanormalcertificateupdatebutinvolvingacross-certificate.

4.Certificate/CRLdiscoveryoperations:somePKImanagementoperationsresultinthepublicationofcertificatesorCRLs:

(a)certificatepublication:Havinggonetothetroubleofproducingacertificate,somemeansforpublishing

itisneeded.The”means”definedinPKIXMAYinvolvethemessagesspecifiedinSections3.3.13-3.3.16,orMAYinvolveothermethods(LDAP,forexample)asdescribedinthe”OperationalProtocols”documentsofthePKIXseriesofspecifications.(b)CRLpublication:Asforcertificatepublication.

5.Recoveryoperations:somePKImanagementoperationsareusedwhenanendentityhas”lost”itsPSE:

(a)keypairrecovery:Asanoption,userclientkeymaterials(e.g.,auser’sprivatekeyusedfordecryption

purposes)MAYbebackedupbyaCA,anRA,orakeybackupsystemassociatedwithaCAorRA.Ifanentityneedstorecoverthesebackedupkeymaterials(e.g.,asaresultofaforgottenpasswordoralostkeychainfile),aprotocolexchangemaybeneededtosupportsuchrecovery.6.Revocationoperations:somePKIoperationsresultinthecreationofnewCRLentriesand/ornewCRLs:

(a)revocationrequest:AnauthorizedpersonadvisesaCAofanabnormalsituationrequiringcertificaterevo-cation.7.PSEoperations:whilstthedefinitionofPSEoperations(e.g.,movingaPSE,changingaPIN,etc.)arebeyondthescopeofthisspecification,wedodefineaPKIMessage(CertRepMessage)whichcanformthebasisofsuchoperations.Notethaton-lineprotocolsarenottheonlywayofimplementingtheaboveoperations.Foralloperationsthereareoff-linemethodsofachievingthesameresult,andthisspecificationdoesnotmandateuseofon-lineprotocols.Forexample,whenhardwaretokensareused,manyoftheoperationsMAYbeachievedaspartofthephysicaltokendelivery.

Latersectionsdefineasetofstandardmessagessupportingtheaboveoperations.Theprotocolsforconveyingtheseexchangesindifferentenvironments(filebased,on-line,E-mail,andWWW)isalsospecified.

2Assumptionsandrestrictions

2.1Endentityinitialization

ThefirststepforanendentityindealingwithPKImanagemententitiesistorequestinformationaboutthePKIfunctionssupportedandtosecurelyacquireacopyoftherelevantrootCApublickey(s).convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

5

2.2Initialregistration/certification

Therearemanyschemesthatcanbeusedtoachieveinitialregistrationandcertificationofendentities.NoonemethodissuitableforallsituationsduetotherangeofpolicieswhichaCAmayimplementandthevariationinthetypesofendentitywhichcanoccur.

Wecanhowever,classifytheinitialregistration/certificationschemesthataresupportedbythisspecification.Notethattheword”initial”,above,iscrucial-wearedealingwiththesituationwheretheendentityinquestionhashadnopreviouscontactwiththePKI.Wheretheendentityalreadypossessescertifiedkeysthensomesimplifica-tions/alternativesarepossible.

Havingclassifiedtheschemesthataresupportedbythisspecificationwecanthenspecifysomeasmandatoryandsomeasoptional.Thegoalisthatthemandatoryschemescoverasufficientnumberofthecaseswhichwillariseinrealuse,whilsttheoptionalschemesareavailableforspecialcaseswhichariselessfrequently.Inthiswayweachieveabalancebetweenflexibilityandeaseofimplementation.

Wewillnowdescribetheclassificationofinitialregistration/certificationschemes.2.2.1Criteriaused

2.2.1.1Initiationofregistration/certification

IntermsofthePKImessageswhichareproducedwecanregardtheinitiationoftheinitialregistration/certificationexchangesasoccurringwhereverthefirstPKImessagerelatingtotheendentityisproduced.Notethatthereal-worldinitiationoftheregistration/certificationproceduremayoccurelsewhere(e.g.,apersonneldepartmentmaytelephoneanRAoperator).

Thepossiblelocationsareattheendentity,anRA,oraCA.2.2.1.2Endentitymessageoriginauthentication

Theon-linemessagesproducedbytheendentitythatrequiresacertificatemaybeauthenticatedornot.TherequirementhereistoauthenticatetheoriginofanymessagesfromtheendentitytothePKI(CA/RA).

Inthisspecification,suchauthenticationisachievedbythePKI(CA/RA)issuingtheendentitywithasecretvalue(initialauthenticationkey)andreferencevalue(usedtoidentifythetransaction)viasomeout-of-bandmeans.TheinitialauthenticationkeycanthenbeusedtoprotectrelevantPKImessages.

Wecanthusclassifytheinitialregistration/certificationschemeaccordingtowhetherornottheon-lineendentityPKImessagesareauthenticatedornot.

Note1:WedonotdiscusstheauthenticationofthePKIendentitymessageshereasthisisalwaysREQUIRED.Inanycase,itcanbeachievedsimplyoncetheroot-CApublickeyhasbeeninstalledattheendentity’sequipmentoritcanbebasedontheinitialauthenticationkey.

Note2:Aninitialregistration/certificationprocedurecanbesecurewherethemessagesfromtheendentityareauthenticatedviasomeout-of-bandmeans(e.g.,asubsequentvisit).

2.2.1.3Locationofkeygeneration

Inthisspecification,”keygeneration”isregardedasoccurringwherevereitherthepublicorprivatecomponentofakeypairfirstoccursinaPKIMessage.Notethatthisdoesnotprecludeacentralizedkeygenerationservice-theactualkeypairMAYhavebeengeneratedelsewhereandtransportedtotheendentity,RA,orCAusinga(proprietaryorstandardized)keygenerationrequest/responseprotocol(outsidethescopeofthisspecification).

Therearethusthreepossibilitiesforthelocationof”keygeneration”:theendentity,anRA,oraCA.2.2.1.4Confirmationofsuccessfulcertificationvskip1ex

Followingthecreationofaninitialcertificateforanendentity,additionalassurancecanbegainedbyhavingtheendentityexplicitlyconfirmsuccessfulreceiptofthemessagecontaining(orindicatingthecreationof)thecertificate.Naturally,thisconfirmationmessagemustbeprotected(basedontheinitialauthenticationkeyorothermeans).

Thisgivestwofurtherpossibilities:confirmedornot.2.2.2Mandatoryschemes

Thecriteriaaboveallowforalargenumberofinitialregistration/certificationschemes.ThisspecificationmandatesthatconformingCAequipment,RAequipment,andEEequipmentMUSTsupportthesecondschemelistedbelow.convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

6

AnyentityMAYadditionallysupportotherschemes,ifdesired.2.2.2.1Centralizedscheme

Intermsoftheclassificationabove,thisschemeis,insomeways,thesimplestpossible,where:-initiationoccursatthecertifyingCA;-noon-linemessageauthenticationisrequired;

-”keygeneration”occursatthecertifyingCA(seeSection2.2.1.3);-noconfirmationmessageisrequired.

Intermsofmessageflow,thisschememeansthattheonlymessagerequiredissentfromtheCAtotheendentity.ThemessagemustcontaintheentirePSEfortheendentity.Someout-of-bandmeansmustbeprovidedtoallowtheendentitytoauthenticatethemessagereceivedanddecryptanyencryptedvalues.2.2.2.2Basicauthenticatedscheme

Intermsoftheclassificationabove,thisschemeiswhere:-initiationoccursattheendentity;-messageauthenticationisREQUIRED;

-”keygeneration”occursattheendentity(seeSection2.2.1.3);-aconfirmationmessageisREQUIRED.

Intermsofmessageflow,thebasicauthenticatedschemeisasfollows:

EndentityRA/CA=======================

out-of-banddistributionofInitialAuthenticationKey(IAK)andreferencevalue(RA/CA->EE)Keygeneration

CreationofcertificationrequestProtectrequestwithIAK

-->>--certificationrequest-->>--verifyrequestprocessrequestcreateresponse

--<<--certificationresponse--<<--handleresponse

createconfirmation

-->>--confirmationmessage-->>--verifyconfirmation

(Whereverificationoftheconfirmationmessagefails,theRA/CAMUSTrevokethenewlyissuedcertificateifithasbeenpublishedorotherwisemadeavailable.)

2.3ProofofPossession(POP)ofPrivateKey

InordertopreventcertainattacksandtoallowaCA/RAtoproperlycheckthevalidityofthebindingbetweenanendentityandakeypair,thePKImanagementoperationsspecifiedheremakeitpossibleforanendentitytoprovethatithaspossessionof(i.e.,isabletouse)theprivatekeycorrespondingtothepublickeyforwhichacertificateisrequested.AgivenCA/RAisfreetochoosehowtoenforcePOP(e.g.,out-of-bandproceduralmeansversusPKIX-CMPin-bandmessages)initscertificationexchanges(i.e.,thismaybeapolicyissue).However,itisREQUIREDthatCAs/RAsMUSTenforcePOPbysomemeansbecausetherearecurrentlymanynon-PKIXoperationalprotocolsinuse(variouselectronicmailprotocolsareoneexample)thatdonotexplicitlycheckthebindingbetweentheendconvertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

7

entityandtheprivatekey.Untiloperationalprotocolsthatdoverifythebinding(forsignature,encryption,andkeyagreementkeypairs)exist,andareubiquitous,thisbindingcanonlybeassumedtohavebeenverifiedbytheCA/RA.Therefore,ifthebindingisnotverifiedbytheCA/RA,certificatesintheInternetPublic-KeyInfrastructureendupbeingsomewhatlessmeaningful.

POPisaccomplishedindifferentwaysdependinguponthetypeofkeyforwhichacertificateisrequested.Ifakeycanbeusedformultiplepurposes(e.g.,anRSAkey)thenanyappropriatemethodMAYbeused(e.g.,akeywhichmaybeusedforsigning,aswellasotherpurposes,SHOULDNOTbesenttotheCA/RAinordertoprovepossession).

ThisspecificationexplicitlyallowsforcaseswhereanendentitysuppliestherelevantprooftoanRAandtheRAsubsequentlyatteststotheCAthattherequiredproofhasbeenreceived(andvalidated!).Forexample,anendentitywishingtohaveasigningkeycertifiedcouldsendtheappropriatesignaturetotheRAwhichthensimplynotifiestherelevantCAthattheendentityhassuppliedtherequiredproof.Ofcourse,suchasituationmaybedisallowedbysomepolicies(e.g.,CAsmaybetheonlyentitiespermittedtoverifyPOPduringcertification).2.3.1SignatureKeys

Forsignaturekeys,theendentitycansignavaluetoprovepossessionoftheprivatekey.2.3.2EncryptionKeys

Forencryptionkeys,theendentitycanprovidetheprivatekeytotheCA/RA,orcanberequiredtodecryptavalueinordertoprovepossessionoftheprivatekey(seeSection3.2.8).Decryptingavaluecanbeachievedeitherdirectlyorindirectly.

ThedirectmethodisfortheRA/CAtoissuearandomchallengetowhichanimmediateresponsebytheEEisrequired.

Theindirectmethodistoissueacertificatewhichisencryptedfortheendentity(andhavetheendentitydemon-strateitsabilitytodecryptthiscertificateintheconfirmationmessage).ThisallowsaCAtoissueacertificateinaformwhichcanonlybeusedbytheintendedendentity.

Thisspecificationencouragesuseoftheindirectmethodbecausethisrequiresnoextramessagestobesent(i.e.,theproofcanbedemonstratedusingtherequest,response,confirmationtripleofmessages).2.3.3KeyAgreementKeys

Forkeyagreementkeys,theendentityandthePKImanagemententity(i.e.,CAorRA)mustestablishasharedsecretkeyinordertoprovethattheendentityhaspossessionoftheprivatekey.

NotethatthisneednotimposeanyrestrictionsonthekeysthatcanbecertifiedbyagivenCA–inparticular,forDiffie-Hellmankeystheendentitymayfreelychooseitsalgorithmparameters–providedthattheCAcangenerateashort-term(orone-time)keypairwiththeappropriateparameterswhennecessary.

2.4RootCAkeyupdate

ThisdiscussiononlyappliestoCAsthatarearootCAforsomeendentity.

ThebasisoftheproceduredescribedhereisthattheCAprotectsitsnewpublickeyusingitspreviousprivatekeyandviceversa.ThuswhenaCAupdatesitskeypairitmustgeneratetwoextracACertificateattributevaluesifcertificatesaremadeavailableusinganX.500directory(foratotaloffour:OldWithOld;OldWithNew;NewWithOld;andNewWithNew).

WhenaCAchangesitskeypairthoseentitieswhohaveacquiredtheoldCApublickeyvia”out-of-band”meansaremostaffected.ItistheseendentitieswhowillneedaccesstothenewCApublickeyprotectedwiththeoldCAprivatekey.However,theywillonlyrequirethisforalimitedperiod(untiltheyhaveacquiredthenewCApublickeyviathe”out-of-band”mechanism).Thiswilltypicallybeeasilyachievedwhentheseendentities’certificatesexpire.

ThedatastructureusedtoprotectthenewandoldCApublickeysisastandardcertificate(whichmayalsocontainextensions).Therearenonewdatastructuresrequired.

Note1.ThisschemedoesnotmakeuseofanyoftheX.509v3extensionsasitmustbeabletoworkevenforversion1certificates.ThepresenceoftheKeyIdentifierextensionwouldmakeforefficiencyimprovements.

Note2.WhiletheschemecouldbegeneralizedtocovercaseswheretheCAupdatesitskeypairmorethanonceduringthevalidityperiodofoneofitsendentities’certificates,thisgeneralizationseemsofdubiousvalue.NothavingconvertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

8

thisgeneralizationsimplymeansthatthevalidityperiodofaCAkeypairmustbegreaterthanthevalidityperiodofanycertificateissuedbythatCAusingthatkeypair.

Note3.ThisschemeforcesendentitiestoacquirethenewCApublickeyontheexpiryofthelastcertificatetheyownedthatwassignedwiththeoldCAprivatekey(viathe”out-of-band”means).Certificateand/orkeyupdateoperationsoccurringatothertimesdonotnecessarilyrequirethis(dependingontheendentity’sequipment).2.4.1CAOperatoractions

TochangethekeyoftheCA,theCAoperatordoesthefollowing:1.Generateanewkeypair;

2.CreateacertificatecontainingtheoldCApublickeysignedwiththenewprivatekey(the”oldwithnew”certificate);3.CreateacertificatecontainingthenewCApublickeysignedwiththeoldprivatekey(the”newwithold”certificate);4.CreateacertificatecontainingthenewCApublickeysignedwiththenewprivatekey(the”newwithnew”certificate);5.Publishthesenewcertificatesviathedirectoryand/orothermeans(perhapsusingaCAKeyUpdAnnmessage);6.ExportthenewCApublickeysothatendentitiesmayacquireitusingthe”out-of-band”mechanism(ifre-quired).TheoldCAprivatekeyisthennolongerrequired.TheoldCApublickeywillhoweverremaininuseforsometime.ThetimewhentheoldCApublickeyisnolongerrequired(otherthanfornon-repudiation)willbewhenallendentitiesofthisCAhavesecurelyacquiredthenewCApublickey.

The”oldwithnew”certificatemusthaveavalidityperiodstartingatthegenerationtimeoftheoldkeypairandendingattheexpirydateoftheoldpublickey.

The”newwithold”certificatemusthaveavalidityperiodstartingatthegenerationtimeofthenewkeypairandendingatthetimebywhichallendentitiesofthisCAwillsecurelypossessthenewCApublickey(atthelatest,theexpirydateoftheoldpublickey).

The”newwithnew”certificatemusthaveavalidityperiodstartingatthegenerationtimeofthenewkeypairandendingatthetimebywhichtheCAwillnextupdateitskeypair.2.4.2VerifyingCertificates.

Normallywhenverifyingasignature,theverifierverifies(amongotherthings)thecertificatecontainingthepublickeyofthesigner.However,onceaCAisallowedtoupdateitskeytherearearangeofnewpossibilities.Theseareshowninthetablebelow.

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)9

RepositorycontainsNEWandOLDpublickeys

RepositorycontainsonlyOLDpublickey(dueto,e.g.,delayinpublication)PSEContainsNEWpublic

key

PSEContainsOLDpublic

key

PSEContainsNEWpublic

key

Signer’scertifi-cateisprotectedusingNEWpublickey

Case1:Thisisthe

standardcasewherethe

verifiercan

directlyverifythecertificatewithoutusingthedirectoryCase2:Inthiscasetheverifiermust

accessthedirectoryinordertogetthevalueoftheOLDpublickey

PSEContainsOLDpublic

key

Case3:

Inthiscasetheverifiermustaccessthe

directoryinordertogetthevalueoftheNEWpublickey

Case5:

AlthoughtheCAoperatorhasnot

updatedthedirectorytheverifiercanverifythecertificatedirectly-thisisthusthesameascase1.

Case7:

InthiscasetheCA

operatorhasnotupdatedthedirectoryandsotheverificationwillFAIL

Signer’scertifi-cateisprotectedusingOLDpublickey

Case4:

Inthiscasetheverifiercandirectlyverifythecertificatewithoutusingthedirectory

Case6:

Theverifierthinksthisisthe

situationofcase2andwillaccessthe

directory;however,theverificationwillFAIL

Case8:

AlthoughtheCAoperatorhasnot

updatedthedirectorytheverifiercanverifythecertificatedirectly-thisisthusthesameascase4.

2.4.2.1Verificationincases1,4,5and8.

InthesecasestheverifierhasalocalcopyoftheCApublickeywhichcanbeusedtoverifythecertificatedirectly.Thisisthesameasthesituationwherenokeychangehasoccurred.

Notethatcase8mayarisebetweenthetimewhentheCAoperatorhasgeneratedthenewkeypairandthetimewhentheCAoperatorstorestheupdatedattributesinthedirectory.Case5canonlyariseiftheCAoperatorhasissuedboththesigner’sandverifier’scertificatesduringthis”gap”(theCAoperatorSHOULDavoidthisasitleadstothefailurecasesdescribedbelow).2.4.2.2Verificationincase2.

Incase2theverifiermustgetaccesstotheoldpublickeyoftheCA.Theverifierdoesthefollowing:

1.LookupthecaCertificateattributeinthedirectoryandpicktheOldWithNewcertificate(determinedbasedonvalidityperiods);2.VerifythatthisiscorrectusingthenewCAkey(whichtheverifierhaslocally);3.Ifcorrect,checkthesigner’scertificateusingtheoldCAkey.

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)10

Case2willarisewhentheCAoperatorhasissuedthesigner’scertificate,thenchangedkeyandthenissuedtheverifier’scertificate,soitisquiteatypicalcase.2.4.2.3Verificationincase3.

Incase3theverifiermustgetaccesstothenewpublickeyoftheCA.Theverifierdoesthefollowing:

1.LookuptheCACertificateattributeinthedirectoryandpicktheNewWithOldcertificate(determinedbasedonvalidityperiods);2.VerifythatthisiscorrectusingtheoldCAkey(whichtheverifierhasstoredlocally);3.Ifcorrect,checkthesigner’scertificateusingthenewCAkey.

Case3willarisewhentheCAoperatorhasissuedtheverifier’scertificate,thenchangedkeyandthenissuedthesigner’scertificate,soitisalsoquiteatypicalcase.2.4.2.4Failureofverificationincase6.

InthiscasetheCAhasissuedtheverifier’sPSEcontainingthenewkeywithoutupdatingthedirectoryattributes.ThismeansthattheverifierhasnomeanstogetatrustworthyversionoftheCA’soldkeyandsoverificationfails.

NotethatthefailureistheCAoperator’sfault.2.4.2.5Failureofverificationincase7.

InthiscasetheCAhasissuedthesigner’scertificateprotectedwiththenewkeywithoutupdatingthedirectoryattributes.ThismeansthattheverifierhasnomeanstogetatrustworthyversionoftheCA’snewkeyandsoverificationfails.

NotethatthefailureisagaintheCAoperator’sfault.2.4.3Revocation-ChangeofCAkey

AswesawabovetheverificationofacertificatebecomesmorecomplexoncetheCAisallowedtochangeitskey.ThisisalsotrueforrevocationchecksastheCAmayhavesignedtheCRLusinganewerprivatekeythantheonethatiswithintheuser’sPSE.

Theanalysisofthealternativesisasforcertificateverification.

3DataStructures

ThissectioncontainsdescriptionsofthedatastructuresrequiredforPKImanagementmessages.Section4describesconstraintsontheirvaluesandthesequenceofeventsforeachofthevariousPKImanagementoperations.Section5describeshowthesemaybeencapsulatedinvarioustransportmechanisms.

3.1OverallPKIMessage

AllofthemessagesusedinthisspecificationforthepurposesofPKImanagementusethefollowingstructure:

PKIMessage::=SEQUENCE{

headerPKIHeader,bodyPKIBody,protection[0]PKIProtectionOPTIONAL,extraCerts[1]SEQUENCESIZE(1..MAX)OFCertificateOPTIONAL}

ThePKIHeadercontainsinformationwhichiscommontomanyPKImessages.ThePKIBodycontainsmessage-specificinformation.

ThePKIProtection,whenused,containsbitsthatprotectthePKImessage.

TheextraCertsfieldcancontaincertificatesthatmaybeusefultotherecipient.Forexample,thiscanbeusedbyaCAorRAtopresentanendentitywithcertificatesthatitneedstoverifyitsownnewcertificate(if,forexample,theconvertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

11

CAthatissuedtheendentity’scertificateisnotarootCAfortheendentity).Notethatthisfielddoesnotnecessarilycontainacertificationpath-therecipientmayhavetosort,selectfrom,orotherwiseprocesstheextracertificatesinordertousethem.

3.1.1PKIMessageHeader

AllPKImessagesrequiresomeheaderinformationforaddressingandtransactionidentification.Someofthisin-formationwillalsobepresentinatransport-specificenvelope;however,ifthePKImessageisprotectedthenthisinformationisalsoprotected(i.e.,wemakenoassumptionaboutsecuretransport).

Thefollowingdatastructureisusedtocontainthisinformation:

PKIHeader::=SEQUENCE{

pvnoINTEGER{ietf-version2(1)},senderGeneralName,--identifiesthesenderrecipientGeneralName,

--identifiestheintendedrecipientmessageTime[0]GeneralizedTimeOPTIONAL,--timeofproductionofthismessage(usedwhensender--believesthatthetransportwillbe\"suitable\";i.e.,--thatthetimewillstillbemeaningfuluponreceipt)protectionAlg[1]AlgorithmIdentifierOPTIONAL,--algorithmusedforcalculationofprotectionbitssenderKID[2]KeyIdentifierOPTIONAL,recipKID[3]KeyIdentifierOPTIONAL,--toidentifyspecifickeysusedforprotectiontransactionID[4]OCTETSTRINGOPTIONAL,

--identifiesthetransaction;i.e.,thiswillbethesamein--correspondingrequest,responseandconfirmationmessagessenderNonce[5]OCTETSTRINGOPTIONAL,recipNonce[6]OCTETSTRINGOPTIONAL,--noncesusedtoprovidereplayprotection,senderNonce--isinsertedbythecreatorofthismessage;recipNonce--isanoncepreviouslyinsertedinarelatedmessageby--theintendedrecipientofthismessagefreeText[7]PKIFreeTextOPTIONAL,

--thismaybeusedtoindicatecontext-specificinstructions--(thisfieldisintendedforhumanconsumption)generalInfo[8]SEQUENCESIZE(1..MAX)OF

InfoTypeAndValueOPTIONAL

--thismaybeusedtoconveycontext-specificinformation--(thisfieldnotprimarilyintendedforhumanconsumption)}

PKIFreeText::=SEQUENCESIZE(1..MAX)OFUTF8String

--textencodedasUTF-8String(note:eachUTF8StringSHOULD--includeanRFC1766languagetagtoindicatethelanguage--ofthecontainedtext)

Thepvnofieldisfixed(atone)forthisversionofthisspecification.

ThesenderfieldcontainsthenameofthesenderofthePKIMessage.Thisname(inconjunctionwithsenderKID,ifsupplied)shouldbeusabletoverifytheprotectiononthemessage.Ifnothingaboutthesenderisknowntothesendingentity(e.g.,intheinit.req.message,wheretheendentitymaynotknowitsownDistinguishedName(DN),e-mailname,IPaddress,etc.),thenthe”sender”fieldMUSTcontaina”NULL”value;thatis,theSEQUENCEOFrelativedistinguishednamesisofzerolength.InsuchacasethesenderKIDfieldMUSTholdanidentifier(i.e.,areferencenumber)whichindicatestothereceivertheappropriatesharedsecretinformationtousetoverifythemessage.convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

12

TherecipientfieldcontainsthenameoftherecipientofthePKIMessage.Thisname(inconjunctionwithrecipKID,ifsupplied)shouldbeusabletoverifytheprotectiononthemessage.

TheprotectionAlgfieldspecifiesthealgorithmusedtoprotectthemessage.Ifnoprotectionbitsaresupplied(notethatPKIProtectionisOPTIONAL)thenthisfieldMUSTbeomitted;ifprotectionbitsaresuppliedthenthisfieldMUSTbesupplied.

senderKIDandrecipKIDareusabletoindicatewhichkeyshavebeenusedtoprotectthemessage(recipKIDwillnormallyonlyberequiredwhereprotectionofthemessageusesDiffie-Hellman(DH)keys).

ThetransactionIDfieldwithinthemessageheaderMAYbeusedtoallowtherecipientofaresponsemessagetocorrelatethiswithapreviouslyissuedrequest.Forexample,inthecaseofanRAtheremaybemanyrequests”outstanding”atagivenmoment.

ThesenderNonceandrecipNoncefieldsprotectthePKIMessageagainstreplayattacks.

ThemessageTimefieldcontainsthetimeatwhichthesendercreatedthemessage.Thismaybeusefultoallowendentitiestocorrecttheirlocaltimetobeconsistentwiththetimeonacentralsystem.

ThefreeTextfieldmaybeusedtosendahuman-readablemessagetotherecipient(inanynumberoflanguages).Thefirstlanguageusedinthissequenceindicatesthedesiredlanguageforreplies.

ThegeneralInfofieldmaybeusedtosendmachine-processableadditionaldatatotherecipient.3.1.2PKIMessageBody

PKIBody::=CHOICE{--message-specificbodyelements

ir[0]CertReqMessages,--InitializationRequestip[1]CertRepMessage,--InitializationResponsecr[2]CertReqMessages,--CertificationRequestcp[3]CertRepMessage,--CertificationResponsep10cr[4]CertificationRequest,--PKCS#10Cert.Req.--thePKCS#10certificationrequest(see[PKCS10])popdecc[5]POPODecKeyChallContent,--popChallengepopdecr[6]POPODecKeyRespContent,--popResponsekur[7]CertReqMessages,--KeyUpdateRequestkup[8]CertRepMessage,--KeyUpdateResponsekrr[9]CertReqMessages,--KeyRecoveryRequestkrp[10]KeyRecRepContent,--KeyRecoveryResponserr[11]RevReqContent,--RevocationRequestrp[12]RevRepContent,--RevocationResponseccr[13]CertReqMessages,--Cross-Cert.Requestccp[14]CertRepMessage,--Cross-Cert.Responseckuann[15]CAKeyUpdAnnContent,--CAKeyUpdateAnn.cann[16]CertAnnContent,--CertificateAnn.rann[17]RevAnnContent,--RevocationAnn.crlann[18]CRLAnnContent,--CRLAnnouncementconf[19]PKIConfirmContent,--Confirmationnested[20]NestedMessageContent,--NestedMessagegenm[21]GenMsgContent,--GeneralMessagegenp[22]GenRepContent,--GeneralResponseerror[23]ErrorMsgContent--ErrorMessage}

ThespecifictypesaredescribedinSection3.3below.3.1.3PKIMessageProtection

SomePKImessageswillbeprotectedforintegrity.(Notethatifanasymmetricalgorithmisusedtoprotectamessageandtherelevantpubliccomponenthasbeencertifiedalready,thentheoriginofmessagecanalsobeauthenticated.Ontheotherhand,ifthepubliccomponentisuncertifiedthenthemessageorigincannotbeautomaticallyauthenticated,butmaybeauthenticatedviaout-of-bandmeans.)

Whenprotectionisappliedthefollowingstructureisused:convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

13

PKIProtection::=BITSTRING

TheinputtothecalculationofPKIProtectionistheDERencodingofthefollowingdatastructure:ProtectedPart::=SEQUENCE{

headerPKIHeader,bodyPKIBody}

ThereMAYbecasesinwhichthePKIProtectionBITSTRINGisdeliberatelynotusedtoprotectamessage(i.e.,thisOPTIONALfieldisomitted)becauseotherprotection,externaltoPKIX,willinsteadbeapplied.Suchachoiceisexplicitlyallowedinthisspecification.ExamplesofsuchexternalprotectionincludePKCS#7[PKCS7]andSecurityMultiparts[RFC1847]encapsulationofthePKIMessage(orsimplythePKIBody(omittingtheCHOICEtag),iftherelevantPKIHeaderinformationissecurelycarriedintheexternalmechanism);specificationofexternalprotectionusingPKCS#7willbeprovidedinaseparatedocument.Itisnoted,however,thatmanysuchexternalmechanismsrequirethattheendentityalreadypossessesapublic-keycertificate,and/orauniqueDistinguishedName,and/orothersuchinfrastructure-relatedinformation.Thus,theymaynotbeappropriateforinitialregistration,key-recovery,oranyotherprocesswith”boot-strapping”characteristics.ForthosecasesitmaybenecessarythatthePKIProtectionparameterbeused.Inthefuture,if/whenexternalmechanismsaremodifiedtoaccommodateboot-strappingscenarios,theuseofPKIProtectionmaybecomerareornon-existent.

DependingonthecircumstancesthePKIProtectionbitsmaycontainaMessageAuthenticationCode(MAC)orsignature.Onlythefollowingcasescanoccur:

-sharedsecretinformation

Inthiscasethesenderandrecipientsharesecretinformation(establishedviaout-of-bandmeansorfromapreviousPKImanagementoperation).PKIProtectionwillcontainaMACvalueandtheprotectionAlgwillbethefollowing:

PasswordBasedMac::=OBJECTIDENTIFIER--{1284011353376613}PBMParameter::=SEQUENCE{

saltOCTETSTRING,owfAlgorithmIdentifier,

--AlgIdforaOne-WayFunction(SHA-1recommended)iterationCountINTEGER,

--numberoftimestheOWFisappliedmacAlgorithmIdentifier

--theMACAlgId(e.g.,DES-MAC,Triple-DES-MAC[PKCS11],}--orHMAC[RFC2104,RFC2202])

IntheaboveprotectionAlgthesaltvalueisappendedtothesharedsecretinput.TheOWFisthenapplieditera-tionCounttimes,wherethesaltedsecretistheinputtothefirstiterationand,foreachsuccessiveiteration,theinputissettobetheoutputofthepreviousiteration.Theoutputofthefinaliteration(called”BASEKEY”foreaseofreference,withasizeof”H”)iswhatisusedtoformthesymmetrickey.IftheMACalgorithmrequiresaK-bitkey

H,thenthemostsignificantKbitsofBASEKEYareused.IfKH,thenallofBASEKEYisusedfortheandK

mostsignificantHbitsofthekey,OWF(”1”——BASEKEY)isusedforthenextmostsignificantHbitsofthekey,OWF(”2”——BASEKEY)isusedforthenextmostsignificantHbitsofthekey,andsoon,untilallKbitshavebeenderived.[Here”N”istheASCIIbyteencodingthenumberNand”——”representsconcatenation.]

-DHkeypairs

WherethesenderandreceiverpossessDiffie-HellmancertificateswithcompatibleDHparameters,theninordertoprotectthemessagetheendentitymustgenerateasymmetrickeybasedonitsprivateDHkeyvalueandtheDHpublickeyoftherecipientofthePKImessage.PKIProtectionwillcontainaMACvaluekeyedwiththisderivedsymmetrickeyandtheprotectionAlgwillbethefollowing:

DHBasedMac::=OBJECTIDENTIFIER--{1284011353376630}DHBMParameter::=SEQUENCE{

owfAlgorithmIdentifier,

--AlgIdforaOne-WayFunction(SHA-1recommended)convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

14

}

macAlgorithmIdentifier

--theMACAlgId(e.g.,DES-MAC,Triple-DES-MAC[PKCS11],--orHMAC[RFC2104,RFC2202])

IntheaboveprotectionAlgOWFisappliedtotheresultoftheDiffie-Hellmancomputation.TheOWFoutput(called”BASEKEY”foreaseofreference,withasizeof”H”)iswhatisusedtoformthesymmetrickey.IftheMAC

H,thenthemostsignificantKbitsofBASEKEYareused.IfKH,thenallalgorithmrequiresaK-bitkeyandK

ofBASEKEYisusedforthemostsignificantHbitsofthekey,OWF(”1”——BASEKEY)isusedforthenextmostsignificantHbitsofthekey,OWF(”2”——BASEKEY)isusedforthenextmostsignificantHbitsofthekey,andsoon,untilallKbitshavebeenderived.[Here”N”istheASCIIbyteencodingthenumberNand”——”representsconcatenation.]

-signature

WherethesenderpossessesasignaturekeypairitmaysimplysignthePKImessage.PKIProtectionwillcontainthesignaturevalueandtheprotectionAlgwillbeanAlgorithmIdentifierforadigitalsignature(e.g.,md5WithRSAEncryptionordsaWithSha-1).

-multipleprotection

IncaseswhereanendentitysendsaprotectedPKImessagetoanRA,theRAMAYforwardthatmessagetoaCA,attachingitsownprotection(whichMAYbeaMACorasignature,dependingontheinformationandcertificatessharedbetweentheRAandtheCA).ThisisaccomplishedbynestingtheentiremessagesentbytheendentitywithinanewPKImessage.Thestructureusedisasfollows.

NestedMessageContent::=PKIMessage

3.2CommonDataStructures

BeforespecifyingthespecifictypesthatmaybeplacedinaPKIBodywedefinesomedatastructuresthatareusedinmorethanonecase.

3.2.1RequestedCertificateContents

VariousPKImanagementmessagesrequirethattheoriginatorofthemessageindicatesomeofthefieldsthatarerequiredtobepresentinacertificate.TheCertTemplatestructureallowsanendentityorRAtospecifyasmuchasitwishesaboutthecertificateitrequires.CertTemplateisidenticaltoaCertificatebutwithallfieldsoptional.

Notethateveniftheoriginatorcompletelyspecifiesthecontentsofacertificateitrequires,aCAisfreetomodifyfieldswithinthecertificateactuallyissued.Ifthemodifiedcertificateisunacceptabletotherequester,theConfirmationmessagemaybewithheld,oranErrorMessagemaybesent(withaPKIStatusof”rejection”).

See[CRMF]forCertTemplatesyntax.3.2.2EncryptedValues

Whereencryptedvalues(restricted,inthisspecification,tobeeitherprivatekeysorcertificates)aresentinPKImessagestheEncryptedValuedatastructureisused.

See[CRMF]forEncryptedValuesyntax.

Useofthisdatastructurerequiresthatthecreatorandintendedrecipientrespectivelybeabletoencryptanddecrypt.Typically,thiswillmeanthatthesenderandrecipienthave,orareabletogenerate,asharedsecretkey.

IftherecipientofthePKIMessagealreadypossessesaprivatekeyusablefordecryption,thentheencSymmKeyfieldMAYcontainasessionkeyencryptedusingtherecipient’spublickey.3.2.3StatuscodesandFailureInformationforPKImessages

Allresponsemessageswillincludesomestatusinformation.Thefollowingvaluesaredefined.

PKIStatus::=INTEGER{

granted(0),

--yougotexactlywhatyouaskedforgrantedWithMods(1),

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

15

--yougotsomethinglikewhatyouaskedfor;the

--requesterisresponsibleforascertainingthedifferencesrejection(2),

--youdon’tgetit,moreinformationelsewhereinthemessagewaiting(3),

--therequestbodyparthasnotyetbeenprocessed,--expecttohearmorelaterrevocationWarning(4),

--thismessagecontainsawarningthatarevocationis--imminent

revocationNotification(5),

--notificationthatarevocationhasoccurredkeyUpdateWarning(6)

--updatealreadydonefortheoldCertIdspecifiedin--thekeyupdaterequestmessage}

Respondersmayusethefollowingsyntaxtoprovidemoreinformationaboutfailurecases.

PKIFailureInfo::=BITSTRING{

--sincewecanfailinmorethanoneway!

--Morecodesmaybeaddedinthefutureif/whenrequired.

badAlg(0),

--unrecognizedorunsupportedAlgorithmIdentifierbadMessageCheck(1),

--integritycheckfailed(e.g.,signaturedidnotverify)badRequest(2),

--transactionnotpermittedorsupportedbadTime(3),

--messageTimewasnotsufficientlyclosetothesystemtime,--asdefinedbylocalpolicybadCertId(4),

--nocertificatecouldbefoundmatchingtheprovidedcriteriabadDataFormat(5),

--thedatasubmittedhasthewrongformatwrongAuthority(6),

--theauthorityindicatedintherequestisdifferentfromthe--onecreatingtheresponsetokenincorrectData(7),

--therequester’sdataisincorrect(usedfornotaryservices)missingTimeStamp(8),

--whenthetimestampismissingbutshouldbethere(bypolicy)badPOP(9)

--theproof-of-possessionfailed}

PKIStatusInfo::=SEQUENCE{

statusPKIStatus,statusStringPKIFreeTextOPTIONAL,failInfoPKIFailureInfoOPTIONAL}

3.2.4CertificateIdentification

InordertoidentifyparticularcertificatestheCertIddatastructureisused.

See[CRMF]forCertIdsyntax.

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)16

3.2.5”Out-of-band”rootCApublickey

EachrootCAmustbeabletopublishitscurrentpublickeyviasome”out-of-band”means.Whilesuchmechanismsarebeyondthescopeofthisdocument,wedefinedatastructureswhichcansupportsuchmechanisms.

Therearegenerallytwomethodsavailable:eithertheCAdirectlypublishesitsself-signedcertificate;orthisinformationisavailableviatheDirectory(orequivalent)andtheCApublishesahashofthisvaluetoallowverificationofitsintegritybeforeuse.

OOBCert::=Certificate

Thefieldswithinthiscertificatearerestrictedasfollows:

-ThecertificateMUSTbeself-signed(i.e.,thesignaturemustbeverifiableusingtheSubjectPublicKeyInfofield);-ThesubjectandissuerfieldsMUSTbeidentical;

-IfthesubjectfieldisNULLthenbothsubjectAltNamesandissuerAltNamesextensionsMUSTbepresentandhaveexactlythesamevalue;

-Thevaluesofallotherextensionsmustbesuitableforaself-signedcertificate(e.g.,keyidentifiersforsubjectandissuermustbethesame).

OOBCertHash::=SEQUENCE{

hashAlg[0]AlgorithmIdentifierOPTIONAL,certId[1]CertIdOPTIONAL,hashValBITSTRING

--hashValiscalculatedovertheself-signed--certificatewiththeidentifiercertID.}

Theintentionofthehashvalueisthatanyonewhohassecurelyreceivedthehashvalue(viatheout-of-bandmeans)canverifyaself-signedcertificateforthatCA.3.2.6ArchiveOptions

RequestersmayindicatethattheywishthePKItoarchiveaprivatekeyvalueusingthePKIArchiveOptionsstructure

See[CRMF]forPKIArchiveOptionssyntax.3.2.7PublicationInformation

RequestersmayindicatethattheywishthePKItopublishacertificateusingthePKIPublicationInfostructure.

See[CRMF]forPKIPublicationInfosyntax.3.2.8Proof-of-PossessionStructures

Ifthecertificationrequestisforasigningkeypair(i.e.,arequestforaverificationcertificate),thentheproofofpossessionoftheprivatesigningkeyisdemonstratedthroughuseofthePOPOSigningKeystructure.

See[CRMF]forPOPOSigningKeysyntax,butnotethatPOPOSigningKeyInputhasthefollowingsemanticstipu-lationsinthisspecification.

POPOSigningKeyInput::=SEQUENCE{

authInfoCHOICE{

sender[0]GeneralName,

--fromPKIHeader(usedonlyifanauthenticatedidentity--hasbeenestablishedforthesender(e.g.,aDNfroma--previously-issuedandcurrently-validcertificate))publicKeyMAC[1]PKMACValueconvertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

17

--------usedifnoauthenticatedGeneralNamecurrentlyexistsforthesender;publicKeyMACcontainsapassword-basedMAC(usingtheprotectionAlgAlgIdfromPKIHeader)ontheDER-encodedvalueofpublicKey

SubjectPublicKeyInfo

--fromCertTemplate

},

publicKey}

Ontheotherhand,ifthecertificationrequestisforanencryptionkeypair(i.e.,arequestforanencryptioncertifi-cate),thentheproofofpossessionoftheprivatedecryptionkeymaybedemonstratedinoneofthreeways.

1)Bytheinclusionoftheprivatekey(encrypted)intheCertRequest(inthePKIArchiveOptionscontrolstructure).2)ByhavingtheCAreturnnotthecertificate,butanencryptedcertificate(i.e.,thecertificateencryptedunderarandomly-generatedsymmetrickey,andthesymmetrickeyencryptedunderthepublickeyforwhichthecertificationrequestisbeingmade)–thisisthe”indirect”methodmentionedpreviouslyinSection2.3.2.TheendentityprovesknowledgeoftheprivatedecryptionkeytotheCAbyMACingthePKIConfirmmessageusingakeyderivedfromthissymmetrickey.[NotethatifmorethanoneCertReqMsgisincludedinthePKIMessage,thentheCAusesadifferentsymmetrickeyforeachCertReqMsgandtheMACusesakeyderivedfromtheconcatenationofallthesekeys.]TheMACingprocedureusesthePasswordBasedMacAlgIddefinedinSection3.1.3)Byhavingtheendentityengageinachallenge-responseprotocol(usingthemessagesPOPODecKeyChallandPOPODecKeyResp;seebelow)betweenCertReqMessagesandCertRepMessage–thisisthe”direct”methodmentionedpreviouslyinSection2.3.2.[ThismethodwouldtypicallybeusedinanenvironmentinwhichanRAverifiesPOPandthenmakesacertificationrequesttotheCAonbehalfoftheendentity.Insuchascenario,theCAtruststheRAtohavedonePOPcorrectlybeforetheRArequestsacertificatefortheendentity.]Thecompleteprotocolthenlooksasfollows(notethatreq’doesnotnecessarilyencapsulatereqasanestedmessage):

EERACA----req----><---chall-------resp--->

----req’---><---rep---------conf--->

<---rep---------conf--->

Thisprotocolisobviouslymuchlongerthanthe3-wayexchangegiveninchoice(2)above,butallowsalocalRegis-trationAuthoritytobeinvolvedandhasthepropertythatthecertificateitselfisnotactuallycreateduntiltheproofofpossessioniscomplete.

Ifthecert.requestisforakeyagreementkey(KAK)pair,thenthePOPcanuseanyofthe3waysdescribedaboveforenc.keypairs,withthefollowingchanges:(1)theparentheticaltextofbullet2)isreplacedwith”(i.e.,thecertificateencryptedunderthesymmetrickeyderivedfromtheCA’sprivateKAKandthepublickeyforwhichthecertificationrequestisbeingmade)”;(2)thefirst

parentheticaltextofthechallengefieldof”Challenge”belowisreplacedwith”(usingPreferredSymmAlg(seeAppendixB6)andasymmetrickeyderivedfromtheCA’sprivateKAKandthepublickeyforwhichthecertificationrequestisbeingmade)”.Alternatively,thePOPcanusethePOPOSigningKeystructuregivenin[CRMF](wherethealgfieldisDHBasedMACandthesignaturefieldistheMAC)asafourthalternativefordemonstratingPOPiftheCAalreadyhasaD-HcertificatethatisknowntotheEE.

Thechallenge-responsemessagesforproofofpossessionofaprivatedecryptionkeyarespecifiedasfollows(see[MvOV97,p.404]fordetails).Notethatthischallenge-responseexchangeisassociatedwiththeprecedingcert.requestmessage(andsubsequentcert.responseandconfirmationmessages)bythenoncesusedinthePKIHeaderandbytheprotection(MACingorsigning)appliedtothePKIMessage.

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

18

POPODecKeyChallContent::=SEQUENCEOFChallenge

--OneChallengeperencryptionkeycertificationrequest(inthe--sameorderastheserequestsappearinCertReqMessages).

Challenge::=SEQUENCE{

owfAlgorithmIdentifierOPTIONAL,

--MUSTbepresentinthefirstChallenge;MAYbeomittedinany--subsequentChallengeinPOPODecKeyChallContent(ifomitted,--thentheowfusedintheimmediatelyprecedingChallengeis--tobeused).witnessOCTETSTRING,

--theresultofapplyingtheone-wayfunction(owf)toa--randomly-generatedINTEGER,A.[Notethatadifferent--INTEGERMUSTbeusedforeachChallenge.]challengeOCTETSTRING

--theencryption(underthepublickeyforwhichthecert.--requestisbeingmade)ofRand,whereRandisspecifiedas--Rand::=SEQUENCE{--intINTEGER,

---therandomly-generatedINTEGERA(above)

--senderGeneralName

---thesender’sname(asincludedinPKIHeader)

--}

}

POPODecKeyRespContent::=SEQUENCEOFINTEGER

--OneINTEGERperencryptionkeycertificationrequest(inthe--sameorderastheserequestsappearinCertReqMessages).The--retrievedINTEGERA(above)isreturnedtothesenderofthe--correspondingChallenge.

3.3Operation-SpecificDataStructures

3.3.1InitializationRequest

AnInitializationrequestmessagecontainsasthePKIBodyanCertReqMessagesdatastructurewhichspecifiestherequestedcertificate(s).Typically,SubjectPublicKeyInfo,KeyId,andValidityarethetemplatefieldswhichmaybesuppliedforeachcertificaterequested(seeAppendixBprofilesforfurtherinformation).ThismessageisintendedtobeusedforentitiesfirstinitializingintothePKI.

See[CRMF]forCertReqMessagessyntax.3.3.2InitializationResponse

AnInitializationresponsemessagecontainsasthePKIBodyanCertRepMessagedatastructurewhichhasforeachcertificaterequestedaPKIStatusInfofield,asubjectcertificate,andpossiblyaprivatekey(normallyencryptedwithasessionkey,whichisitselfencryptedwiththeprotocolEncKey).

SeeSection3.3.4forCertRepMessagesyntax.NotethatifthePKIMessageProtectionis”sharedsecretinfor-mation”(seeSection3.1.3),thenanycertificatetransportedinthecaPubsfieldmaybedirectlytrustedasarootCAcertificatebytheinitiator.

3.3.3Registration/CertificationRequest

ARegistration/CertificationrequestmessagecontainsasthePKIBodyaCertReqMessagesdatastructurewhichspec-ifiestherequestedcertificates.ThismessageisintendedtobeusedforexistingPKIentitieswhowishtoobtainadditionalcertificates.

See[CRMF]forCertReqMessagessyntax.

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)19

Alternatively,thePKIBodyMAYbeaCertificationRequest(thisstructureisfullyspecifiedbytheASN.1structureCertificationRequestgivenin[PKCS10]).Thisstructuremayberequiredforcertificaterequestsforsigningkeypairswheninteroperationwithlegacysystemsisdesired,butitsuseisstronglydiscouragedwhenevernotabsolutelynecessary.

3.3.4Registration/CertificationResponse

AregistrationresponsemessagecontainsasthePKIBodyaCertRepMessagedatastructurewhichhasastatusvalueforeachcertificaterequested,andoptionallyhasaCApublickey,failureinformation,asubjectcertificate,andanencryptedprivatekey.

CertRepMessage::=SEQUENCE{

caPubs[1]SEQUENCESIZE(1..MAX)OFCertificateOPTIONAL,responseSEQUENCEOFCertResponse}

CertResponse::=SEQUENCE{

certReqIdINTEGER,

--tomatchthisresponsewithcorrespondingrequest(avalue--of-1istobeusedifcertReqIdisnotspecifiedinthe--correspondingrequest)statusPKIStatusInfo,certifiedKeyPairCertifiedKeyPairOPTIONAL,rspInfoOCTETSTRINGOPTIONAL

--analogoustotheid-regInfo-asciiPairsOCTETSTRINGdefined--forregInfoinCertReqMsg[CRMF]}

CertifiedKeyPair::=SEQUENCE{

certOrEncCertCertOrEncCert,privateKey[0]EncryptedValue

publicationInfo[1]PKIPublicationInfo}

CertOrEncCert::=CHOICE{

certificate[0]Certificate,encryptedCert[1]EncryptedValue}

OnlyoneofthefailInfo(inPKIStatusInfo)andcertificate(inCertifiedKeyPair)fieldscanbepresentineachCertResponse(dependingonthestatus).Forsomestatusvalues(e.g.,waiting)neitheroftheoptionalfieldswillbepresent.

GivenanEncryptedCertandtherelevantdecryptionkeythecertificatemaybeobtained.ThepurposeofthisistoallowaCAtoreturnthevalueofacertificate,butwiththeconstraintthatonlytheintendedrecipientcanobtaintheactualcertificate.ThebenefitofthisapproachisthataCAmayreplywithacertificateevenintheabsenceofaproofthattherequesteristheendentitywhichcanusetherelevantprivatekey(notethattheproofisnotobtaineduntilthePKIConfirmmessageisreceivedbytheCA).ThustheCAwillnothavetorevokethatcertificateintheeventthatsomethinggoeswrongwiththeproofofpossession.3.3.5Keyupdaterequestcontent

ForkeyupdaterequeststheCertReqMessagessyntaxisused.Typically,SubjectPublicKeyInfo,KeyId,andValidityarethetemplatefieldswhichmaybesuppliedforeachkeytobeupdated.Thismessageisintendedtobeusedtorequestupdatestoexisting(non-revokedandnon-expired)certificates.

See[CRMF]forCertReqMessagessyntax.

OPTIONAL,OPTIONAL

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)20

3.3.6KeyUpdateresponsecontent

ForkeyupdateresponsestheCertRepMessagesyntaxisused.Theresponseisidenticaltotheinitializationresponse.

SeeSection3.3.4forCertRepMessagesyntax.3.3.7KeyRecoveryRequestcontent

ForkeyrecoveryrequeststhesyntaxusedisidenticaltotheinitializationrequestCertReqMessages.Typically,Sub-jectPublicKeyInfoandKeyIdarethetemplatefieldswhichmaybeusedtosupplyasignaturepublickeyforwhichacertificateisrequired(seeAppendixBprofilesforfurtherinformation).

See[CRMF]forCertReqMessagessyntax.Notethatifakeyhistoryisrequired,therequestermustsupplyaProtocolEncryptionKeycontrolintherequestmessage.3.3.8Keyrecoveryresponsecontent

Forkeyrecoveryresponsesthefollowingsyntaxisused.Forsomestatusvalues(e.g.,waiting)noneoftheoptionalfieldswillbepresent.

KeyRecRepContent::=SEQUENCE{

statusPKIStatusInfo,newSigCert[0]CertificateOPTIONAL,caCerts[1]SEQUENCESIZE(1..MAX)OF

CertificateOPTIONAL,

keyPairHist[2]SEQUENCESIZE(1..MAX)OF

CertifiedKeyPairOPTIONAL

}

3.3.9RevocationRequestContent

Whenrequestingrevocationofacertificate(orseveralcertificates)thefollowingdatastructureisused.ThenameoftherequesterispresentinthePKIHeaderstructure.

RevReqContent::=SEQUENCEOFRevDetails

RevDetails::=SEQUENCE{

certDetailsCertTemplate,

--allowsrequestertospecifyasmuchastheycanabout--thecert.forwhichrevocationisrequested

--(e.g.,forcasesinwhichserialNumberisnotavailable)revocationReasonReasonFlagsOPTIONAL,--thereasonthatrevocationisrequestedbadSinceDateGeneralizedTimeOPTIONAL,--indicatesbestknowledgeofsendercrlEntryDetailsExtensionsOPTIONAL--requestedcrlEntryExtensions}

3.3.10RevocationResponseContent

Theresponsetotheabovemessage.Ifproduced,thisissenttotherequesteroftherevocation.(AseparaterevocationannouncementmessageMAYbesenttothesubjectofthecertificateforwhichrevocationwasrequested.)RevRepContent::=SEQUENCE{

statusSEQUENCESIZE(1..MAX)OFPKIStatusInfo,--insameorderaswassentinRevReqContent

revCerts[0]SEQUENCESIZE(1..MAX)OFCertIdOPTIONAL,

--IDsforwhichrevocationwasrequested(sameorderasstatus)convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

21

crls[1]SEQUENCESIZE(1..MAX)OFCertificateList--theresultingCRLs(theremaybemorethanone)}

3.3.11Crosscertificationrequestcontent

OPTIONAL

Crosscertificationrequestsusethesamesyntax(CertReqMessages)asfornormalcertificationrequestswiththere-strictionthatthekeypairMUSThavebeengeneratedbytherequestingCAandtheprivatekeyMUSTNOTbesenttotherespondingCA.

See[CRMF]forCertReqMessagessyntax.3.3.12Crosscertificationresponsecontent

Crosscertificationresponsesusethesamesyntax(CertRepMessage)asfornormalcertificationresponseswiththerestrictionthatnoencryptedprivatekeycanbesent.

SeeSection3.3.4forCertRepMessagesyntax.3.3.13CAKeyUpdateAnnouncementcontent

WhenaCAupdatesitsownkeypairthefollowingdatastructureMAYbeusedtoannouncethisevent.CAKeyUpdAnnContent::=SEQUENCE{

oldWithNewCertificate,--oldpubsignedwithnewprivnewWithOldCertificate,--newpubsignedwitholdprivnewWithNewCertificate--newpubsignedwithnewpriv}

3.3.14CertificateAnnouncement

ThisstructureMAYbeusedtoannouncetheexistenceofcertificates.

Notethatthismessageisintendedtobeusedforthosecases(ifany)wherethereisnopre-existingmethodforpublicationofcertificates;itisnotintendedtobeusedwhere,forexample,X.500isthemethodforpublicationofcertificates.

CertAnnContent::=Certificate3.3.15RevocationAnnouncement

WhenaCAhasrevoked,orisabouttorevoke,aparticularcertificateitMAYissueanannouncementofthis(possiblyupcoming)event.

RevAnnContent::=SEQUENCE{

statusPKIStatus,certIdCertId,willBeRevokedAtGeneralizedTime,badSinceDateGeneralizedTime,crlDetailsExtensionsOPTIONAL

--extraCRLdetails(e.g.,crlnumber,reason,location,etc.)}

ACAMAYusesuchanannouncementtowarn(ornotify)asubjectthatitscertificateisabouttobe(orhasbeen)revoked.Thiswouldtypicallybeusedwheretherequestforrevocationdidnotcomefromthesubjectconcerned.

ThewillBeRevokedAtfieldcontainsthetimeatwhichanewentrywillbeaddedtotherelevantCRLs.3.3.16CRLAnnouncement

WhenaCAissuesanewCRL(orsetofCRLs)thefollowingdatastructureMAYbeusedtoannouncethisevent.

CRLAnnContent::=SEQUENCEOFCertificateList

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

22

3.3.17PKIConfirmationcontent

Thisdatastructureisusedinthree-wayprotocolsasthefinalPKIMessage.Itscontentisthesameinallcases-actuallythereisnocontentsincethePKIHeadercarriesalltherequiredinformation.

PKIConfirmContent::=NULL3.3.18PKIGeneralMessagecontent

InfoTypeAndValue::=SEQUENCE{

infoTypeOBJECTIDENTIFIER,infoValueANYDEFINEDBYinfoTypeOPTIONAL}

--ExampleInfoTypeAndValuecontentsinclude,butarenotlimitedto:--{CAProtEncCert={id-it1},Certificate}--{SignKeyPairTypes={id-it2},SEQUENCEOFAlgorithmIdentifier}--{EncKeyPairTypes={id-it3},SEQUENCEOFAlgorithmIdentifier}--{PreferredSymmAlg={id-it4},AlgorithmIdentifier}--{CAKeyUpdateInfo={id-it5},CAKeyUpdAnnContent}--{CurrentCRL={id-it6},CertificateList}--where{id-it}={id-pkix4}={13615574}

--ThisconstructMAYalsobeusedtodefinenewPKIXCertificate--ManagementProtocolrequestandresponsemessages,orgeneral---purpose(e.g.,announcement)messagesforfutureneedsorfor--specificenvironments.

GenMsgContent::=SEQUENCEOFInfoTypeAndValue

--MaybesentbyEE,RA,orCA(dependingonmessagecontent).

--TheOPTIONALinfoValueparameterofInfoTypeAndValuewilltypically--beomittedforsomeoftheexamplesgivenabove.Thereceiveris--freetoignoreanycontainedOBJ.IDsthatitdoesnotrecognize.--IfsentfromEEtoCA,theemptysetindicatesthattheCAmaysend--any/allinformationthatitwishes.3.3.19PKIGeneralResponsecontent

GenRepContent::=SEQUENCEOFInfoTypeAndValue

–ThereceiverisfreetoignoreanycontainedOBJ.IDsthatitdoes–notrecognize.3.3.20ErrorMessagecontent

ErrorMsgContent::=SEQUENCE{

pKIStatusInfoPKIStatusInfo,errorCodeINTEGEROPTIONAL,--implementation-specificerrorcodeserrorDetailsPKIFreeTextOPTIONAL--implementation-specificerrordetails}

4MandatoryPKIManagementfunctions

ThePKImanagementfunctionsoutlinedinSection1abovearedescribedinthissection.

Thissectiondealswithfunctionsthatare”mandatory”inthesensethatallendentityandCA/RAimplementationsMUSTbeabletoprovidethefunctionalitydescribed(perhapsviaoneofthetransportmechanismsdefinedinSection5).ThispartiseffectivelytheprofileofthePKImanagementfunctionalitythatMUSTbesupported.

NotethatnotallPKImanagementfunctionsresultinthecreationofaPKImessage.convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

23

4.1RootCAinitialization

[SeeSection1.2.2forthisdocument’sdefinitionof”rootCA”.]

AnewlycreatedrootCAmustproducea”self-certificate”whichisaCertificatestructurewiththeprofiledefinedforthe”newWithNew”certificateissuedfollowingarootCAkeyupdate.

InordertomaketheCA’sselfcertificateusefultoendentitiesthatdonotacquiretheselfcertificatevia”out-of-band”means,theCAmustalsoproduceafingerprintforitspublickey.Endentitiesthatacquirethisfingerprintsecurelyviasome”out-of-band”meanscanthenverifytheCA’sself-certificateandhencetheotherattributescontainedtherein.

ThedatastructureusedtocarrythefingerprintistheOOBCertHash.

4.2RootCAkeyupdate

CAkeys(asallotherkeys)haveafinitelifetimeandwillhavetobeupdatedonaperiodicbasis.ThecertificatesNewWithNew,NewWithOld,andOldWithNew(seeSection2.4.1)areissuedbytheCAtoaidexistingendentitieswhoholdthecurrentself-signedCAcertificate(OldWithOld)totransitionsecurelytothenewself-signedCAcer-tificate(NewWithNew),andtoaidnewendentitieswhowillholdNewWithNewtoacquireOldWithOldsecurelyforverificationofexistingdata.

4.3SubordinateCAinitialization

[SeeSection1.2.2forthisdocument’sdefinitionof”subordinateCA”.]

FromtheperspectiveofPKImanagementprotocolstheinitializationofasubordinateCAisthesameastheinitializationofanendentity.TheonlydifferenceisthatthesubordinateCAmustalsoproduceaninitialrevocationlist.

4.4CRLproduction

BeforeissuinganycertificatesanewlyestablishedCA(whichissuesCRLs)mustproduce”empty”versionsofeachCRLwhichistobeperiodicallyproduced.

4.5PKIinformationrequest

WhenaPKIentity(CA,RA,orEE)wishestoacquireinformationaboutthecurrentstatusofaCAitMAYsendthatCAarequestforsuchinformation.

TheCAmustrespondtotherequestbyproviding(atleast)alloftheinformationrequestedbytherequester.Ifsomeoftheinformationcannotbeprovidedthenanerrormustbeconveyedtotherequester.

IfPKIMessagesareusedtorequestandsupplythisPKIinformation,thentherequestmustbetheGenMsgmes-sage,theresponsemustbetheGenRepmessage,andtheerrormustbetheErrormessage.ThesemessagesareprotectedusingaMACbasedonsharedsecretinformation(i.e.,PasswordBasedMAC)oranyotherauthenticatedmeans(iftheendentityhasanexistingcertificate).

4.6Crosscertification

TherequesterCAistheCAthatwillbecomethesubjectofthecross-certificate;theresponderCAwillbecometheissuerofthecross-certificate.

TherequesterCAmustbe”upandrunning”beforeinitiatingthecross-certificationoperation.4.6.1One-wayrequest-responsescheme:

Thecross-certificationschemeisessentiallyaonewayoperation;thatis,whensuccessful,thisoperationresultsinthecreationofonenewcross-certificate.Iftherequirementisthatcross-certificatesbecreatedin”bothdirections”theneachCAinturnmustinitiateacross-certificationoperation(oruseanotherscheme).

ThisschemeissuitablewherethetwoCAsinquestioncanalreadyverifyeachother’ssignatures(theyhavesomecommonpointsoftrust)orwherethereisanout-of-bandverificationoftheoriginofthecertificationrequest.

DetailedDescription:

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)24

CrosscertificationisinitiatedatoneCAknownastheresponder.TheCAadministratorfortheresponderidentifiestheCAitwantstocrosscertifyandtheresponderCAequipmentgeneratesanauthorizationcode.TheresponderCAadministratorpassesthisauthorizationcodebyout-of-bandmeanstotherequesterCAadministrator.TherequesterCAadministratorenterstheauthorizationcodeattherequesterCAinordertoinitiatetheon-lineexchange.

Theauthorizationcodeisusedforauthenticationandintegritypurposes.Thisisdonebygeneratingasymmet-rickeybasedontheauthorizationcodeandusingthesymmetrickeyforgeneratingMessageAuthenticationCodes(MACs)onallmessagesexchanged.

TherequesterCAinitiatestheexchangebygeneratingarandomnumber(requesterrandomnumber).TherequesterCAthensendstotheresponderCAthecrosscertificationrequest(ccr)message.ThefieldsinthismessageareprotectedfrommodificationwithaMACbasedontheauthorizationcode.

Uponreceiptoftheccrmessage,theresponderCAcheckstheprotocolversion,savestherequesterrandomnumber,generatesitsownrandomnumber(responderrandomnumber)andvalidatestheMAC.Itthengenerates(andarchives,ifdesired)anewrequestercertificatethatcontainstherequesterCApublickeyandissignedwiththeresponderCAsignatureprivatekey.TheresponderCArespondswiththecrosscertificationresponse(ccp)message.ThefieldsinthismessageareprotectedfrommodificationwithaMACbasedontheauthorizationcode.

Uponreceiptoftheccpmessage,therequesterCAchecksthatitsownsystemtimeisclosetotheresponderCAsystemtime,checksthereceivedrandomnumbersandvalidatestheMAC.TherequesterCArespondswiththePKIConfirmmessage.ThefieldsinthismessageareprotectedfrommodificationwithaMACbasedontheauthorizationcode.TherequesterCAwritestherequestercertificatetotheRepository.

UponreceiptofthePKIConfirmmessage,theresponderCAcheckstherandomnumbersandvalidatestheMAC.Notes:

1.Theccrmessagemustcontaina”complete”certificationrequest,thatis,allfields(including,e.g.,aBasic-Constraintsextension)mustbespecifiedbytherequesterCA.

2.TheccpmessageSHOULDcontaintheverificationcertificateoftheresponderCA-ifpresent,therequesterCAmustthenverifythiscertificate(forexample,viathe”out-of-band”mechanism).4.6.2Endentityinitialization

AswithCAs,endentitiesmustbeinitialized.Initializationofendentitiesrequiresatleasttwosteps:

-acquisitionofPKIinformation

-out-of-bandverificationofoneroot-CApublickey

(otherpossiblestepsincludetheretrievaloftrustconditioninformationand/orout-of-bandverificationofotherCApublickeys).

4.6.3AcquisitionofPKIinformationTheinformationREQUIREDis:

-thecurrentroot-CApublickey

-(ifthecertifyingCAisnotaroot-CA)thecertificationpathfromtherootCAtothecertifyingCAtogetherwithappropriaterevocationlists

-thealgorithmsandalgorithmparameterswhichthecertifyingCAsupportsforeachrelevantusage

Additionalinformationcouldberequired(e.g.,supportedextensionsorCApolicyinformation)inordertoproduceacertificationrequestwhichwillbesuccessful.However,forsimplicitywedonotmandatethattheendentityacquiresthisinformationviathePKImessages.Theendresultissimplythatsomecertificationrequestsmayfail(e.g.,iftheendentitywantstogenerateitsownencryptionkeybuttheCAdoesn’tallowthat).

TherequiredinformationMAYbeacquiredasdescribedinSection4.5.4.6.4Out-of-BandVerificationofRoot-CAKey

AnendentitymustsecurelypossessthepublickeyofitsrootCA.OnemethodtoachievethisistoprovidetheendentitywiththeCA’sself-certificatefingerprintviasomesecure”out-of-band”means.TheendentitycanthensecurelyusetheCA’sself-certificate.

SeeSection4.1forfurtherdetails.convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

25

4.7CertificateRequest

AninitializedendentityMAYrequestacertificateatanytime(aspartofanupdateprocedure,orforanyotherpurpose).Thisrequestwillbemadeusingthecertificationrequest(cr)message.Iftheendentityalreadypossessesasigningkeypair(withacorrespondingverificationcertificate),thenthiscrmessagewilltypicallybeprotectedbytheentity’sdigitalsignature.TheCAreturnsthenewcertificate(iftherequestissuccessful)inaCertRepMessage.

4.8KeyUpdate

WhenakeypairisduetoexpiretherelevantendentityMAYrequestakeyupdate-thatis,itMAYrequestthattheCAissueanewcertificateforanewkeypair.Therequestismadeusingakeyupdaterequest(kur)message.Iftheendentityalreadypossessesasigningkeypair(withacorrespondingverificationcertificate),thenthismessagewilltypicallybeprotectedbytheentity’sdigitalsignature.TheCAreturnsthenewcertificate(iftherequestissuccessful)inakeyupdateresponse(kup)message,whichissyntacticallyidenticaltoaCertRepMessage.

5Transports

Thetransportprotocolsspecifiedbelowallowendentities,RAsandCAstopassPKImessagesbetweenthem.ThereisnorequirementforspecificsecuritymechanismstobeappliedatthislevelifthePKImessagesaresuitablyprotected(thatis,iftheOPTIONALPKIProtectionparameterisusedasspecifiedforeachmessage).

5.1Filebasedprotocol

AfilecontainingaPKImessageMUSTcontainonlytheDERencodingofonePKImessage,i.e.,thereMUSTbenoextraneousheaderortrailerinformationinthefile.

SuchfilescanbeusedtotransportPKImessagesusing,e.g.,FTP.

5.2DirectTCP-BasedManagementProtocol

ThefollowingsimpleTCP-basedprotocolistobeusedfortransportofPKImessages.Thisprotocolissuitableforcaseswhereanendentity(oranRA)initiatesatransactionandcanpolltopickuptheresults.

IfatransactionisinitiatedbyaPKIentity(RAorCA)thenanendentitymusteithersupplyalistenerprocessorbesuppliedwithapollingreference(seebelow)inordertoallowittopickupthePKImessagefromthePKImanagementcomponent.

TheprotocolbasicallyassumesalistenerprocessonanRAorCAwhichcanacceptPKImessagesonawell-definedport(portnumber829).TypicallyaninitiatorbindstothisportandsubmitstheinitialPKImessageforagiventransactionID.TheresponderreplieswithaPKImessageand/orwithareferencenumbertobeusedlaterwhenpollingfortheactualPKImessageresponse.

IfanumberofPKIresponsemessagesaretobeproducedforagivenrequest(sayifsomepartoftherequestishandledmorequicklythananother)thenanewpollingreferenceisalsoreturned.

WhenthefinalPKIresponsemessagehasbeenpickedupbytheinitiatorthennonewpollingreferenceissupplied.Theinitiatorofatransactionsendsa”directTCP-basedPKImessage”totherecipient.Therecipientrespondswithasimilarmessage.

A”directTCP-basedPKImessage”consistsof:length(32-bits),flag(8-bits),value(definedbelow)

Thelengthfieldcontainsthenumberofoctetsoftheremainderofthemessage(i.e.,numberofoctetsof”value”plusone).All32-bitvaluesinthisprotocolarespecifiedtobeinnetworkbyteorder.

MessagenamepkiMsg

flag’00’H

value

DER-encodedPKImessage

--PKImessagepollRep’01’H

pollingreference(32bits),

time-to-check-back(32bits)

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)26

--pollresponsewherenoPKImessageresponseready;usepolling--referencevalue(andestimatedtimevalue)forlaterpollingpollReq’02’Hpollingreference(32bits)

--requestforaPKImessageresponsetoinitialmessagenegPollRep’03’H’00’H

--nofurtherpollingresponses(i.e.,transactioncomplete)partialMsgRep’04’Hnextpollingreference(32bits),

time-to-check-back(32bits),DER-encodedPKImessage

--partialresponsetoinitialmessageplusnewpollingreference--(andestimatedtimevalue)tousetogetnextpartofresponsefinalMsgRep’05’HDER-encodedPKImessage

--final(andpossiblysole)responsetoinitialmessageerrorMsgRep’06’Hhumanreadableerrormessage

--producedwhenanerrorisdetected(e.g.,apollingreferenceis--receivedwhichdoesn’texistorisfinishedwith)WhereaPKIConfirmmessageistobetransported(alwaysfromtheinitiatortotheresponder)thenapkiMsgmessageissentandanegPollRepisreturned.

Thesequenceofmessageswhichcanoccuristhen:

a)endentitysendspkiMsgandreceivesoneofpollRep,negPollRep,partialMsgReporfinalMsgRepinresponse.b)endentitysendspollReqmessageandreceivesoneofnegPollRep,partialMsgRep,finalMsgReporerrorMsgRepinresponse.

The”time-to-check-back”parameterisa32-bitinteger,definedtobethenumberofsecondswhichhaveelapsedsincemidnight,January1,1970,coordinateduniversaltime.ItprovidesanestimateofthetimethattheendentityshouldsenditsnextpollReq.

5.3ManagementProtocolviaE-mail

ThissubsectionspecifiesameansforconveyingASN.1-encodedmessagesfortheprotocolexchangesdescribedinSection4viaInternetmail.

AsimpleMIMEobjectisspecifiedasfollows.

Content-Type:application/pkixcmpContent-Transfer-Encoding:base64

theASN.1DER-encodedPKIX-CMPmessage,base64-encoded

ThisMIMEobjectcanbesentandreceivedusingcommonMIMEprocessingenginesandprovidesasimpleInter-netmailtransportforPKIX-CMPmessages.ImplementationsMAYwishtoalsorecognizeandusethe”application/x-pkixcmp”MIMEtype(specifiedinearlierversionsofthisdocument)inordertosupportbackwardcompatibilitywhereverapplicable.

5.4ManagementProtocolviaHTTP

ThissubsectionspecifiesameansforconveyingASN.1-encodedmessagesfortheprotocolexchangesdescribedinSection4viatheHyperTextTransferProtocol.

AsimpleMIMEobjectisspecifiedasfollows.Content-Type:application/pkixcmp

theASN.1DER-encodedPKIX-CMPmessage

ThisMIMEobjectcanbesentandreceivedusingcommonHTTPprocessingenginesoverWWWlinksandprovidesasimplebrowser-servertransportforPKIX-CMPmessages.ImplementationsMAYwishtoalsorecognizeandusethe”application/x-pkixcmp”MIMEtype(specifiedinearlierversionsofthisdocument)inordertosupportbackwardcompatibilitywhereverapplicable.

6SECURITYCONSIDERATIONS

Thisentirememoisaboutsecuritymechanisms.

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)27

Onecryptographicconsiderationisworthexplicitlyspellingout.Intheprotocolsspecifiedabove,whenanendentityisrequiredtoprovepossessionofadecryptionkey,itiseffectivelychallengedtodecryptsomething(itsowncertificate).Thisscheme(andmanyothers!)couldbevulnerabletoanattackifthepossessorofthedecryptionkeyinquestioncouldbefooledintodecryptinganarbitrarychallengeandreturningthecleartexttoanattacker.Althoughinthisspecificationanumberofotherfailuresinsecurityarerequiredinorderforthisattacktosucceed,itisconceivablethatsomefutureservices(e.g.,notary,trustedtime)couldpotentiallybevulnerabletosuchattacks.Forthisreasonwere-iteratethegeneralrulethatimplementationsshouldbeverycarefulaboutdecryptingarbitrary”ciphertext”andrevealingrecovered”plaintext”sincesuchapracticecanleadtoserioussecurityvulnerabilities.

NotealsothatexposingaprivatekeytotheCA/RAasaproof-of-possessiontechniquecancarrysomesecurityrisks(dependinguponwhetherornottheCA/RAcanbetrustedtohandlesuchmaterialappropriately).ImplementersareadvisedtoexercisecautioninselectingandusingthisparticularPOPmechanism.

References

[COR95][CRMF]

ISO/IECJTC1/SC21,TechnicalCorrigendum2toISO/IEC9594-8:1990&1993(1995:E),July1995.Myers,M.,Adams,C.,Solo,D.andD.Kemp,”CertificateRequestMessageFormat”,RFC2511,March1999.

[MvOV97]A.Menezes,P.vanOorschot,S.Vanstone,”HandbookofAppliedCryptography”,CRCPress,1997.[PKCS7]

RSALaboratories,”ThePublic-KeyCryptographyStandards(PKCS)”,RSADataSecurityInc.,RedwoodCity,California,November1993Release.

[PKCS10]RSALaboratories,”ThePublic-KeyCryptographyStandards(PKCS)”,RSADataSecurityInc.,Redwood

City,California,November1993Release.[PKCS11]RSALaboratories,”ThePublic-KeyCryptographyStandards-PKCS#11:Cryptographictokeninterface

standard”,RSADataSecurityInc.,RedwoodCity,California,April28,1995.[RFC1847]Galvin,J.,Murphy,S.Crocker,S.andN.Freed,”SecurityMultipartsforMIME:Multipart/Signedand

Multipart/Encrypted”,RFC1847,October1995.[RFC2104]Krawczyk,H.,Bellare,M.andR.Canetti,”HMAC:KeyedHashingforMessageAuthentication”,RFC

2104,February1997.[RFC2119]Bradner,S.,”KeywordsforuseinRFCstoIndicateRequirementLevels”,BCP14,RFC2119,March

1997.[RFC2202]Cheng,P.andR.Glenn,”TestCasesforHMAC-MD5andHMAC-SHA-1”,RFC2202,September1997.[X509-AM]ISO/IECJTC1/SC21,DraftAmendmentsDAM4toISO/IEC9594-2,DAM2toISO/IEC9594-6,DAM

1toISO/IEC9594-7,andDAM1toISO/IEC9594-8onCertificateExtensions,1December,1996.

7Acknowledgements

TheauthorsgratefullyacknowledgethecontributionsofvariousmembersofthePKIXWorkingGroup.Manyofthesecontributionssignificantlyclarifiedandimprovedtheutilityofthisspecification.

8Authors’Addresses

CarlisleAdamsEntrustTechnologies750HeronRoad,SuiteE08,Ottawa,OntarioCanadaK1V1A7

EMail:cadams@entrust.com

StephenFarrellSoftwareandSystemsEngineeringLtd.FitzwilliamCourtLeesonCloseDublin2IRELANDEMail:stephen.farrell@sse.ie

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)28

AReasonsforthepresenceofRAs

ThereasonswhichjustifythepresenceofanRAcanbesplitintothosewhichareduetotechnicalfactorsandthosewhichareorganizationalinnature.Technicalreasonsincludethefollowing.

-Ifhardwaretokensareinuse,thennotallendentitieswillhavetheequipmentneededtoinitializethese;theRAequipmentcanincludethenecessaryfunctionality(thismayalsobeamatterofpolicy).

-Someendentitiesmaynothavethecapabilitytopublishcertificates;again,theRAmaybesuitablyplacedforthis.

-TheRAwillbeabletoissuesignedrevocationrequestsonbehalfofendentitiesassociatedwithit,whereastheendentitymaynotbeabletodothis(ifthekeypairiscompletelylost).

SomeoftheorganizationalreasonswhichargueforthepresenceofanRAarethefollowing.

-ItmaybemorecosteffectivetoconcentratefunctionalityintheRAequipmentthantosupplyfunctionalitytoallendentities(especiallyifspecialtokeninitializationequipmentistobeused).

-EstablishingRAswithinanorganizationcanreducethenumberofCAsrequired,whichissometimesdesirable.-RAsmaybebetterplacedtoidentifypeoplewiththeir”electronic”names,especiallyiftheCAisphysicallyremotefromtheendentity.

-FormanyapplicationstherewillalreadybeinplacesomeadministrativestructuresothatcandidatesfortheroleofRAareeasytofind(whichmaynotbetrueoftheCA).

BPKIManagementMessageProfiles.

ThisappendixcontainsdetailedprofilesforthosePKIMessageswhichMUSTbesupportedbyconformingimplemen-tations(seeSection4).

ProfilesforthePKIMessagesusedinthefollowingPKImanagementoperationsareprovided:

-rootCAkeyupdate-informationrequest/response

-cross-certificationrequest/response(1-way)-initialregistration/certification-basicauthenticatedscheme-certificaterequest-keyupdate

Laterversionsofthisdocumentmayextendtheabovetoincludeprofilesfortheoperationslistedbelow(alongwithotheroperations,ifdesired).

-revocationrequest-certificatepublication-CRLpublication

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)29

B.1GeneralRulesforinterpretationoftheseprofiles.

1.WhereOPTIONALorDEFAULTfieldsarenotmentionedinindividualprofiles,theySHOULDbeabsentfromtherelevantmessage(i.e.,areceivercanvalidlyrejectamessagecontainingsuchfieldsasbeingsyntacticallyincorrect).Mandatoryfieldsarenotmentionediftheyhaveanobviousvalue(e.g.,pvno).2.Wherestructuresoccurinmorethanonemessage,theyareseparatelyprofiledasappropriate.3.ThealgorithmIdentifiersfromPKIMessagestructuresareprofiledseparately.

4.A”special”X.500DNiscalledthe”NULL-DN”;thismeansaDNcontainingazero-lengthSEQUENCEOFRelativeDistinguishedNames(itsDERencodingisthen’3000’H).5.WhereaGeneralNameisrequiredforafieldbutnosuitablevalueisavailable(e.g.,anendentityproducesarequestbeforeknowingitsname)thentheGeneralNameistobeanX.500NULL-DN(i.e.,theNamefieldoftheCHOICEistocontainaNULL-DN).Thisspecialvaluecanbecalleda”NULL-GeneralName”.6.WhereaprofileomitstospecifythevalueforaGeneralNamethentheNULL-GeneralNamevalueistobepresentintherelevantPKIMessagefield.ThisoccurswiththesenderfieldofthePKIHeaderforsomemessages.7.Whereanyambiguityarisesduetonamingoffields,theprofilenamestheseusinga”dot”notation(e.g.,”cert-Template.subject”meansthesubjectfieldwithinafieldcalledcertTemplate).8.Wherea”SEQUENCEOFtypes”ispartofamessage,azero-basedarraynotationisusedtodescribefieldswithintheSEQUENCEOF(e.g.,crm[0].certReq.certTemplate.subjectreferstoasubfieldofthefirstCertRe-qMsgcontainedinarequestmessage).9.AllPKImessageexchangesinSectionsB7-B10requireaPKIConfirmmessagetobesentbytheinitiatingentity.ThismessageisnotincludedinsomeoftheprofilesgivensinceitsbodyisNULLanditsheadercontentsareclearfromthecontext.AnyauthenticatedmeanscanbeusedfortheprotectionAlg(e.g.,password-basedMAC,ifsharedsecretinformationisknown,orsignature).

B.2AlgorithmUseProfile

ThefollowingtablecontainsdefinitionsofalgorithmuseswithinPKImanagementprotocols.

Thecolumnsinthetableare:

Name:anidentifierusedformessageprofiles

Use:descriptionofwhereandforwhatthealgorithmisused

Mandatory:anAlgorithmIdentifierwhichMUSTbesupportedbyconformingimplementationsOthers:alternativestothemandatoryAlgorithmIdentifierName

MSG_SIG_ALGMSG_MAC_ALGSYM_PENC_ALG

Use

ProtectionofPKI

messagesusingsignatureprotectionofPKI

messagesusingMACingsymmetricencryptionofanendentity’sprivatekeywheresymmetrickeyisdistributedout-of-band

asymmetricalgorithmusedforencryptionof(symmetrickeysforencryptionof)privatekeystransportedinPKIMessages

symmetricencryption

MandatoryDSA/SHA-1

OthersRSA/MD5...

PasswordBasedMacHMAC,

X9.9...

3-DES(3-key-RC5,

EDE,CBCmode)CAST-128...

PROT_ENC_ALGD-HRSA

PROT_SYM_ALG3-DES(3-key-RC5,

30

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

algorithmusedforencryptionofprivatekeybits(akeyofthistypeisencryptedusingPROT_ENC_ALG)

MandatoryAlgorithmIdentifiersandSpecifications:

EDE,CBCmode)CAST-128...

DSA/SHA-1:

AlgId:{128401004043};

NIST,FIPSPUB186:DigitalSignatureStandard,1994;PublicModulussize:1024bits.

PasswordBasedMac:

{1284011353376613},withSHA-1{13143226}astheowf

parameterandHMAC-SHA1{136155812}asthemacparameter;(thisspecification),alongwith

NIST,FIPSPUB180-1:SecureHashStandard,April1995;

H.Krawczyk,M.Bellare,R.Canetti,\"HMAC:Keyed-HashingforMessageAuthentication\InternetRequestforComments2104,February1997.3-DES:

{1284011354937};

(usedinRSA’sBSAFEandinS/MIME).D-H:

AlgId:{128401004621};ANSIX9.42;

PublicModulusSize:1024bits.DHParameter::=SEQUENCE{primeINTEGER,--pbaseINTEGER--g}

B.3”Self-signed”certificates

ProfileofhowaCertificatestructuremaybe”self-signed”.Thesestructuresareusedfordistributionof”root”CApublickeys.Thiscanoccurinoneofthreeways(seeSection2.4aboveforadescriptionoftheuseofthesestructures):TypenewWithNew

Function

atrue\"self-signed\"certificate;thecontainedpublickeyMUSTbeusabletoverifythesignature(thoughthisprovidesonlyintegrityandnoauthenticationwhatsoever)previousrootCApublickeysignedwithnewprivatekeynewrootCApublickeysignedwithpreviousprivatekey

oldWithNewnewWithOld

¡¡Suchcertificates(includingrelevantextensions)mustcontain”sensible”valuesforallfields.Forexample,whenpresentsubjectAltNameMUSTbeidenticaltoissuerAltName,andwhenpresentkeyIdentifiersmustcontainappropriatevalues,etcetera.¿¿

B.4ProofofPossessionProfile

POPfieldsforuse(insignaturefieldofpopfieldofProofOfPossessionstructure)whenprovingpossessionofaprivatesigningkeywhichcorrespondstoapublicverificationkeyforwhichacertificatehasbeenrequested.

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)31

FieldValueComment

onlysignatureprotectionisallowedforthisproof

bitscalculatedusingMSG_SIG_ALG

algorithmIdentifierMSG_SIG_ALGsignature

present

Proofofpossessionofaprivatedecryptionkeywhichcorrespondstoapublicencryptionkeyforwhicha

certificatehasbeenrequesteddoesnotusethisprofile;insteadthemethodgiveninprotectionAlgforPKIConfirminSectionB8isused.

NoteveryCA/RAwilldoProof-of-Possession(ofsigningkey,decryptionkey,orkeyagreementkey)inthePKIX-CMPin-bandcertificationrequestprotocol(howPOPisdoneMAYultimatelybeapolicyissuewhichismadeexplicitforanygivenCAinitspublicizedPolicyOIDandCertificationPracticeStatement).However,thisspecificationMANDATESthatCA/RAentitiesMUSTdoPOP(bysomemeans)aspartofthecertificationprocess.AllendentitiesMUSTbepreparedtoprovidePOP(i.e.,thesecomponentsofthePKIX-CMPprotocolMUSTbesupported).

B.5RootCAKeyUpdate

ArootCAupdatesitskeypair.ItthenproducesaCAkeyupdateannouncementmessagewhichcanbemadeavailable(viaoneofthetransportmechanisms)totherelevantendentities.APKIConfirmmessageisNOTREQUIREDfromtheendentities.

ckuannmessage:Fieldsenderbody

oldWithNewnewWithOldnewWithNewextraCerts

Value

CAname

ckuann(CAKeyUpdAnnContent)presentpresentpresent

optionallypresent

Comment

respondingCAname

seeSectionB3aboveseeSectionB3aboveseeSectionB3above

canbeusedto\"publish\"certificates(e.g.,

certificatessignedusingthenewprivatekey)

B.6PKIInformationrequest/response

TheendentitysendsgeneralmessagetothePKIrequestingdetailswhichwillberequiredforlaterPKImanagementoperations.RA/CArespondswithgeneralresponse.IfanRAgeneratestheresponsethenitwillsimplyforwardtheequivalentmessagewhichitpreviouslyreceivedfromtheCA,withthepossibleadditionofthecertificatestotheextraCertsfieldsofthePKIMessage.APKIConfirmmessageisNOTREQUIREDfromtheendentity.MessageFlows:Step#123456genm:Field

Value

32

Endentityformatgenm

->

genm

->

handlegenmproducegenp

<-handlegenp

genp

<-PKI

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

recipientCAname

--thenameoftheCAascontainedinissuerAltNameextensionsor--issuerfieldswithincertificatesprotectionAlgMSG_MAC_ALGorMSG_SIG_ALG--anyauthenticatedprotectionalg.SenderKIDpresentifrequired

--mustbepresentifrequiredforverificationofmessageprotectionfreeTextanyvalidvaluebodygenr(GenReqContent)GenMsgContentemptySEQUENCE

--allrelevantinformationrequestedprotectionpresent

--bitscalculatedusingMSG_MAC_ALGorMSG_SIG_ALGgenp:Field

Value

senderCAname

--nameoftheCAwhichproducedthemessageprotectionAlgMSG_MAC_ALGorMSG_SIG_ALG--anyauthenticatedprotectionalg.senderKIDpresentifrequired

--mustbepresentifrequiredforverificationofmessageprotectionbodygenp(GenRepContent)CAProtEncCertpresent(objectidentifierone

ofPROT_ENC_ALG),withrelevantvalue

--tobeusedifendentityneedstoencryptinformationfortheCA--(e.g.,privatekeyforrecoverypurposes)SignKeyPairTypespresent,withrelevantvalue

--thesetofsignaturealgorithmidentifierswhichthisCAwill--certifyforsubjectpublickeysEncKeyPairTypespresent,withrelevantvalue

--thesetofencryption/keyagreementalgorithmidentifierswhich--thisCAwillcertifyforsubjectpublickeysPreferredSymmAlgpresent(objectidentifierone

ofPROT_SYM_ALG),withrelevantvalue

--thesymmetricalgorithmwhichthisCAexpectstobeusedinlater--PKImessages(forencryption)CAKeyUpdateInfooptionallypresent,with

relevantvalue

--theCAMAYprovideinformationaboutarelevantrootCAkeypair--usingthisfield(notethatthisdoesnotimplythattheresponding--CAistherootCAinquestion)CurrentCRLoptionallypresent,withrelevantvalue

--theCAMAYprovideacopyofacompleteCRL(i.e.,fullestpossible--one)protectionpresent

--bitscalculatedusingMSG_MAC_ALGorMSG_SIG_ALGextraCertsoptionallypresent

--canbeusedtosendsomecertificatestotheendentity.AnRAMAY--additscertificatehere.

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)33

B.7Crosscertificationrequest/response(1-way)

Creationofasinglecross-certificate(i.e.,nottwoatonce).TherequestingCAMAYchoosewhoisresponsibleforpublicationofthecross-certificatecreatedbytherespondingCAthroughuseofthePKIPublicationInfocontrol.

Preconditions:

1.RespondingCAcanverifytheoriginoftherequest(possiblyrequiringout-of-bandmeans)beforeprocessingtherequest.

2.RequestingCAcanauthenticatetheauthenticityoftheoriginoftheresponse(possiblyrequiringout-of-bandmeans)beforeprocessingtheresponse

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)34

MessageFlows:Step#RequestingCARespondingCA

1formatccr

2->

ccr

->

3handleccr4produceccp

5<-ccp

<-6handleccp7formatconf

8->

conf

->

9

handleconf

ccr:Field

Value

senderRequestingCAname

--thenameoftheCAwhoproducedthemessagerecipientRespondingCAname

--thenameoftheCAwhoisbeingaskedtoproduceacertificatemessageTimetimeofproductionofmessage--currenttimeatrequestingCAprotectionAlgMSG_SIG_ALG

--onlysignatureprotectionisallowedforthisrequestsenderKIDpresentifrequired

--mustbepresentifrequiredforverificationofmessageprotectiontransactionIDpresent

--implementation-specificvalue,meaningfultorequestingCA.--[IfalreadyinuseatrespondingCAthenarejectionmessage--MUSTbeproducedbyrespondingCA]senderNoncepresent--128(pseudo-)randombitsfreeTextanyvalidvaluebodyccr(CertReqMessages)

onlyoneCertReqMsgallowed

--ifmultiplecrosscertificatesarerequiredtheyMUSTbepackaged--inseparatePKIMessagescertTemplatepresent

--detailsfollowversionv1orv3--<>signingAlgpresent

--therequestingCAmustknowinadvancewithwhichalgorithmit--wishesthecertificatetobesignedsubjectpresent

--maybeNULL-DNonlyifsubjectAltNamesextensionvalueproposedvaliditypresent

--MUSTbecompletelyspecified(i.e.,bothfieldspresent)issuerpresent

--maybeNULL-DNonlyifissuerAltNamesextensionvalueproposedpublicKeypresent

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)35

--thekeytobecertified(whichmustbeforasigningalgorithm)extensionsoptionallypresent

--arequestingCAmustproposevaluesforallextensionswhichit--requirestobeinthecross-certificatePOPOSigningKeypresent

--see\"Proofofpossessionprofile\"(SectionB4)

protectionpresent

--bitscalculatedusingMSG_SIG_ALGextraCertsoptionallypresent

--MAYcontainanyadditionalcertificatesthatrequesterwishes--toinclude

ccp:Field

Value

senderRespondingCAname

--thenameoftheCAwhoproducedthemessagerecipientRequestingCAname

--thenameoftheCAwhoaskedforproductionofacertificatemessageTimetimeofproductionofmessage--currenttimeatrespondingCAprotectionAlgMSG_SIG_ALG

--onlysignatureprotectionisallowedforthismessagesenderKIDpresentifrequired

--mustbepresentifrequiredforverificationofmessage--protectionrecipKIDpresentifrequiredtransactionIDpresent

--valuefromcorrespondingccrmessagesenderNoncepresent--128(pseudo-)randombitsrecipNoncepresent

--senderNoncefromcorrespondingccrmessagefreeTextanyvalidvaluebodyccp(CertRepMessage)

onlyoneCertResponseallowed

--ifmultiplecrosscertificatesarerequiredtheyMUSTbepackaged--inseparatePKIMessagesresponsepresentstatuspresentPKIStatusInfo.statuspresent

--ifPKIStatusInfo.statusisoneof:--granted,or--grantedWithMods,

--thencertifiedKeyPairMUSTbepresentandfailInfoMUSTbeabsentfailInfopresentdependingon

PKIStatusInfo.status

--ifPKIStatusInfo.statusis:--rejection

--thencertifiedKeyPairMUSTbeabsentandfailInfoMUSTbepresent--andcontainappropriatebitsettings

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)36

certifiedKeyPair

presentdependingonPKIStatusInfo.status

certificatepresentdependingon

certifiedKeyPair

--contentofactualcertificatemustbeexaminedbyrequestingCA--beforepublicationprotectionpresent

--bitscalculatedusingMSG_SIG_ALGextraCertsoptionallypresent

--MAYcontainanyadditionalcertificatesthatresponderwishes--toinclude

B.8InitialRegistration/Certification(BasicAuthenticatedScheme)

An(uninitialized)endentityrequestsa(first)certificatefromaCA.WhentheCArespondswithamessagecontainingacertificate,theendentityreplieswithaconfirmation.Allmessagesareauthenticated.

Thisschemeallowstheendentitytorequestcertificationofalocally-generatedpublickey(typicallyasignaturekey).TheendentityMAYalsochoosetorequestthecentralizedgenerationandcertificationofanotherkeypair(typicallyanencryptionkeypair).

Certificationmayonlyberequestedforonelocallygeneratedpublickey(formore,useseparatePKIMessages).TheendentityMUSTsupportproof-of-possessionoftheprivatekeyassociatedwiththelocally-generatedpublickey.

Preconditions:

1.TheendentitycanauthenticatetheCA’ssignaturebasedonout-of-bandmeans2.TheendentityandtheCAshareasymmetricMACingkey

Messageflow:Step#123456789

Endentityformatir

->

ir

->

handleirformatip

<-handleipformatconf

->

conf

->

handleconf

ip

<-PKI

Forthisprofile,wemandatethattheendentityMUSTincludeall(i.e.,oneortwo)CertReqMsginasinglePKIMessageandthatthePKI(CA)MUSTproduceasingleresponsePKIMessagewhichcontainsthecompleteresponse(i.e.,includingtheOPTIONALsecondkeypair,ifitwasrequestedandifcentralizedkeygenerationissupported).Forsimplicity,wealsomandatethatthismessageMUSTbethefinalone(i.e.,nouseof”waiting”statusvalue).ir:Field

Value

recipientCAname

--thenameoftheCAwhoisbeingaskedtoproduceacertificateprotectionAlgMSG_MAC_ALG

--onlyMACprotectionisallowedforthisrequest,basedon--initialauthenticationkeysenderKIDreferenceNum

--thereferencenumberwhichtheCAhaspreviouslyissuedtoconvertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)

37

--theendentity(togetherwiththeMACingkey)transactionIDpresent

--implementation-specificvalue,meaningfultoendentity.

--[IfalreadyinuseattheCAthenarejectionmessageMUSTbe--producedbytheCA]senderNoncepresent--128(pseudo-)randombitsfreeTextanyvalidvaluebody

ir(CertReqMessages)

onlyoneortwoCertReqMsgareallowed

--ifmorecertificatesarerequiredrequestsMUSTbepackagedin--separatePKIMessagesCertReqMsgoneortwopresent

--seebelowfordetails,note:crm[0]meansthefirst(whichMUST--bepresent),crm[1]meansthesecond(whichisOPTIONAL,andused--toaskforacentrally-generatedkey)crm[0].certReq.fixedvalueofzero

certReqId

--thisistheindexofthetemplatewithinthemessagecrm[0].certReqpresent

certTemplate

--MUSTincludesubjectpublickeyvalue,otherwiseunconstrainedcrm[0].pop...optionallypresentifpublickey

POPOSigningKeyfromcrm[0].certReq.certTemplateis

asigningkey

--proofofpossessionMAYberequiredinthisexchange(seeSection--B4fordetails)crm[0].certReq.optionallypresent

controls.archiveOptions

--theendentityMAYrequestthatthelocally-generatedprivatekey--bearchivedcrm[0].certReq.optionallypresent

controls.publicationInfo

--theendentityMAYaskforpublicationofresultingcert.crm[1].certReqfixedvalueofone

certReqId

--theindexofthetemplatewithinthemessagecrm[1].certReqpresent

certTemplate

--MUSTNOTincludeactualpublickeybits,otherwiseunconstrained--(e.g.,thenamesneednotbethesameasincrm[0])crm[0].certReq.present[objectidentifierMUSTbePROT_ENC_ALG]

controls.protocolEncKey

--ifcentralizedkeygenerationissupportedbythisCA,this

--short-termasymmetricencryptionkey(generatedbytheendentity)--willbeusedbytheCAtoencrypt(asymmetrickeyusedtoencrypt)--aprivatekeygeneratedbytheCAonbehalfoftheendentitycrm[1].certReq.optionallypresent

controls.archiveOptionscrm[1].certReq.optionallypresent

controls.publicationInfo

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)38

protectionpresent

--bitscalculatedusingMSG_MAC_ALGip:Field

Value

senderCAname

--thenameoftheCAwhoproducedthemessagemessageTimepresent

--timeatwhichCAproducedmessageprotectionAlgMS_MAC_ALG

--onlyMACprotectionisallowedforthisresponserecipKIDreferenceNum

--thereferencenumberwhichtheCAhaspreviouslyissuedtothe--endentity(togetherwiththeMACingkey)transactionIDpresent

--valuefromcorrespondingirmessagesenderNoncepresent--128(pseudo-)randombitsrecipNoncepresent

--valuefromsenderNonceincorrespondingirmessagefreeTextanyvalidvaluebodyir(CertRepMessage)

containsexactlyoneresponseforeachrequest

--ThePKI(CA)respondstoeitheroneortworequestsasappropriate.--crc[0]denotesthefirst(alwayspresent);crc[1]denotesthe

--second(onlypresentiftheirmessagecontainedtworequestsand--iftheCAsupportscentralizedkeygeneration).crc[0].fixedvalueofzero

certReqId

--MUSTcontaintheresponsetothefirstrequestinthecorresponding--irmessagecrc[0].status.present,positivevaluesallowed:

status\"granted\\"grantedWithMods\"

negativevaluesallowed:

\"rejection\"

crc[0].status.presentifandonlyif

failInfocrc[0].status.statusis\"rejection\"crc[0].presentifandonlyif

certifiedKeyPaircrc[0].status.statusis

\"granted\"or\"grantedWithMods\"

certificatepresentunlessendentity’spublic

keyisanencryptionkeyandPOPisdoneinthisin-bandexchange

encryptedCertpresentifandonlyifendentity’s

publickeyisanencryptionkeyandPOPdoneinthisin-bandexchange

publicationInfooptionallypresent

--indicateswherecertificatehasbeenpublished(presentat--discretionofCA)crc[1].fixedvalueofone

certReqId

--MUSTcontaintheresponsetothesecondrequestinthe

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)39

--correspondingirmessagecrc[1].status.present,positivevaluesallowed:

status\"granted\\"grantedWithMods\"

negativevaluesallowed:

\"rejection\"

crc[1].status.presentifandonlyif

failInfocrc[0].status.statusis\"rejection\"crc[1].presentifandonlyif

certifiedKeyPaircrc[0].status.statusis\"granted\"

or\"grantedWithMods\"

certificatepresentprivateKeypresentpublicationInfooptionallypresent

--indicateswherecertificatehasbeenpublished(presentat--discretionofCA)protectionpresent

--bitscalculatedusingMSG_MAC_ALGextraCertsoptionallypresent

--theCAMAYprovideadditionalcertificatestotheendentityconf:Field

Value

recipientCAname

--thenameoftheCAwhowasaskedtoproduceacertificatetransactionIDpresent

--valuefromcorrespondingirandipmessagessenderNoncepresent

--valuefromrecipNonceincorrespondingipmessagerecipNoncepresent

--valuefromsenderNonceincorrespondingipmessageprotectionAlgMSG_MAC_ALG

--onlyMACprotectionisallowedforthismessage.TheMACis--basedontheinitialauthenticationkeyifonlyasigningkey--pairhasbeensentinirforcertification,orifPOPisnot--doneinthisin-bandexchange.Otherwise,theMACisbasedon--akeyderivedfromthesymmetrickeyusedtodecryptthe--returnedencryptedCert.senderKIDreferenceNum

--thereferencenumberwhichtheCAhaspreviouslyissuedtothe--endentity(togetherwiththeMACingkey)bodyconf(PKIConfirmContent)--thisisanASN.1NULLprotectionpresent

--bitscalculatedusingMSG_MAC_ALG

B.9CertificateRequest

An(initialized)endentityrequestsacertificatefromaCA(foranyreason).WhentheCArespondswithamessagecontainingacertificate,theendentityreplieswithaconfirmation.Allmessagesareauthenticated.

TheprofileforthisexchangeisidenticaltothatgiveninSectionB8withthefollowingexceptions:

-protectionAlgmaybeMSGMACALGorMSGSIGALGinrequest,response,andconfirmmessages(thedeterminationintheconfirmmessagebeingdependentuponPOPconsiderationsforkey-enciphermentandkey-agreementcertificaterequests);

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)40

-senderKIDandrecipKIDareonlypresentifrequiredformessageverification;-bodyiscrorcp;-protocolEncKeyisnotpresent;

-protectionbitsarecalculatedaccordingtotheprotectionAlgfield.

B.10KeyUpdateRequest

An(initialized)endentityrequestsacertificatefromaCA(toupdatethekeypairandcorrespondingcertificatethatitalreadypossesses).WhentheCArespondswithamessagecontainingacertificate,theendentityreplieswithaconfirmation.Allmessagesareauthenticated.

TheprofileforthisexchangeisidenticaltothatgiveninSectionB8withthefollowingexceptions:

-protectionAlgmaybeMSGMACALGorMSGSIGALGinrequest,response,andconfirmmessages(thedeterminationintheconfirmmessagebeingdependentuponPOPconsiderationsforkey-enciphermentandkey-agreementcertificaterequests);

-senderKIDandrecipKIDareonlypresentifrequiredformessageverification;-bodyiskurorkup;

-protectionbitsarecalculatedaccordingtotheprotectionAlgfield.

C”Compilable”ASN.1Moduleusing1988Syntax

PKIXCMP{iso(1)identified-organization(3)dod(6)internet(1)

security(5)mechanisms(5)pkix(7)id-mod(0)id-mod-cmp(9)}DEFINITIONSEXPLICITTAGS::=BEGIN

--EXPORTSALL--IMPORTS

Certificate,CertificateList,Extensions,AlgorithmIdentifier

FROMPKIX1Explicit88{iso(1)identified-organization(3)dod(6)internet(1)security(5)mechanisms(5)pkix(7)id-mod(0)id-pkix1-explicit-88(1)}}GeneralName,KeyIdentifier,ReasonFlags

FROMPKIX1Implicit88{iso(1)identified-organization(3)dod(6)internet(1)security(5)mechanisms(5)pkix(7)id-mod(0)id-pkix1-implicit-88(2)}CertTemplate,PKIPublicationInfo,EncryptedValue,CertId,CertReqMessages

FROMPKIXCRMF{iso(1)identified-organization(3)

dod(6)internet(1)security(5)mechanisms(5)pkix(7)id-mod(0)id-mod-crmf(5)}}

--CertificationRequest--FROMPKCS10{nostandardASN.1moduledefined;

--implementersneedtocreatetheirownmoduletoimport

--from,ordirectlyincludethePKCS10syntaxinthismodule}

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)41

--LocallydefinedOIDs--

PKIMessage::=SEQUENCE{

headerPKIHeader,bodyPKIBody,protection[0]PKIProtectionOPTIONAL,extraCerts[1]SEQUENCESIZE(1..MAX)OFCertificateOPTIONAL}

PKIHeader::=SEQUENCE{

pvnoINTEGER{ietf-version2(1)},senderGeneralName,--identifiesthesenderrecipientGeneralName,

--identifiestheintendedrecipientmessageTime[0]GeneralizedTimeOPTIONAL,--timeofproductionofthismessage(usedwhensender--believesthatthetransportwillbe\"suitable\";i.e.,--thatthetimewillstillbemeaningfuluponreceipt)protectionAlg[1]AlgorithmIdentifierOPTIONAL,--algorithmusedforcalculationofprotectionbitssenderKID[2]KeyIdentifierOPTIONAL,recipKID[3]KeyIdentifierOPTIONAL,--toidentifyspecifickeysusedforprotectiontransactionID[4]OCTETSTRINGOPTIONAL,

--identifiesthetransaction;i.e.,thiswillbethesamein--correspondingrequest,responseandconfirmationmessagessenderNonce[5]OCTETSTRINGOPTIONAL,recipNonce[6]OCTETSTRINGOPTIONAL,--noncesusedtoprovidereplayprotection,senderNonce--isinsertedbythecreatorofthismessage;recipNonce--isanoncepreviouslyinsertedinarelatedmessageby--theintendedrecipientofthismessagefreeText[7]PKIFreeTextOPTIONAL,

--thismaybeusedtoindicatecontext-specificinstructions--(thisfieldisintendedforhumanconsumption)generalInfo[8]SEQUENCESIZE(1..MAX)OF

InfoTypeAndValueOPTIONAL

--thismaybeusedtoconveycontext-specificinformation--(thisfieldnotprimarilyintendedforhumanconsumption)}

PKIFreeText::=SEQUENCESIZE(1..MAX)OFUTF8String

--textencodedasUTF-8String(note:eachUTF8StringSHOULD--includeanRFC1766languagetagtoindicatethelanguage--ofthecontainedtext)

PKIBody::=

CHOICE{--message-specificbodyelementsir[0]CertReqMessages,--InitializationRequestip[1]CertRepMessage,--InitializationResponsecr[2]CertReqMessages,--CertificationRequestcp[3]CertRepMessage,--CertificationResponsep10cr[4]CertificationRequest,--importedfrom[PKCS10]popdecc[5]POPODecKeyChallContent,--popChallenge

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)42

popdecr[6]POPODecKeyRespContent,--popResponse

kur[7]CertReqMessages,--KeyUpdateRequestkup[8]CertRepMessage,--KeyUpdateResponsekrr[9]CertReqMessages,--KeyRecoveryRequestkrp[10]KeyRecRepContent,--KeyRecoveryResponserr[11]RevReqContent,--RevocationRequestrp[12]RevRepContent,--RevocationResponseccr[13]CertReqMessages,--Cross-Cert.Requestccp[14]CertRepMessage,

--Cross-Cert.Responseckuann[15]CAKeyUpdAnnContent,--CAKeyUpdateAnn.cann[16]CertAnnContent,--CertificateAnn.rann[17]RevAnnContent,--RevocationAnn.crlann[18]CRLAnnContent,

--CRLAnnouncementconf[19]PKIConfirmContent,--Confirmationnested[20]NestedMessageContent,--NestedMessagegenm[21]GenMsgContent,--GeneralMessagegenp[22]GenRepContent,--GeneralResponseerror[23]ErrorMsgContent--ErrorMessage

}

PKIProtection::=BITSTRINGProtectedPart::=SEQUENCE{

headerPKIHeader,bodyPKIBody}

PasswordBasedMac::=OBJECTIDENTIFIER--{1284011353376613}PBMParameter::=SEQUENCE{

saltOCTETSTRING,owfAlgorithmIdentifier,

--AlgIdforaOne-WayFunction(SHA-1recommended)iterationCountINTEGER,

--numberoftimestheOWFisappliedmacAlgorithmIdentifier

--theMACAlgId(e.g.,DES-MAC,Triple-DES-MAC[PKCS11],}--orHMAC[RFC2104,RFC2202])DHBasedMac::=OBJECTIDENTIFIER--{1284011353376630}DHBMParameter::=SEQUENCE{

owfAlgorithmIdentifier,

--AlgIdforaOne-WayFunction(SHA-1recommended)macAlgorithmIdentifier

--theMACAlgId(e.g.,DES-MAC,Triple-DES-MAC[PKCS11],}--orHMAC[RFC2104,RFC2202])

NestedMessageContent::=PKIMessagePKIStatus::=INTEGER{

granted(0),

--yougotexactlywhatyouaskedforgrantedWithMods(1),

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)43

--yougotsomethinglikewhatyouaskedfor;the

--requesterisresponsibleforascertainingthedifferencesrejection(2),

--youdon’tgetit,moreinformationelsewhereinthemessagewaiting(3),

--therequestbodyparthasnotyetbeenprocessed,--expecttohearmorelaterrevocationWarning(4),

--thismessagecontainsawarningthatarevocationis--imminent

revocationNotification(5),

--notificationthatarevocationhasoccurredkeyUpdateWarning(6)

--updatealreadydonefortheoldCertIdspecifiedin--CertReqMsg}

PKIFailureInfo::=BITSTRING{

--sincewecanfailinmorethanoneway!

--Morecodesmaybeaddedinthefutureif/whenrequired.

badAlg(0),

--unrecognizedorunsupportedAlgorithmIdentifierbadMessageCheck(1),

--integritycheckfailed(e.g.,signaturedidnotverify)badRequest(2),

--transactionnotpermittedorsupportedbadTime(3),

--messageTimewasnotsufficientlyclosetothesystemtime,--asdefinedbylocalpolicybadCertId(4),

--nocertificatecouldbefoundmatchingtheprovidedcriteriabadDataFormat(5),

--thedatasubmittedhasthewrongformatwrongAuthority(6),

--theauthorityindicatedintherequestisdifferentfromthe--onecreatingtheresponsetokenincorrectData(7),

--therequester’sdataisincorrect(fornotaryservices)missingTimeStamp(8),

--whenthetimestampismissingbutshouldbethere(bypolicy)badPOP(9)

--theproof-of-possessionfailed}

PKIStatusInfo::=

SEQUENCE{status

PKIStatus,statusStringPKIFreeTextOPTIONAL,failInfoPKIFailureInfo

OPTIONAL

}

OOBCert::=Certificate

OOBCertHash::=SEQUENCE{

hashAlg[0]AlgorithmIdentifierOPTIONAL,

certId[1]CertId

OPTIONAL,

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)44

hashValBITSTRING

--hashValiscalculatedoverDERencodingofthe--subjectPublicKeyfieldofthecorrespondingcert.}

POPODecKeyChallContent::=SEQUENCEOFChallenge

--OneChallengeperencryptionkeycertificationrequest(inthe--sameorderastheserequestsappearinCertReqMessages).

Challenge::=SEQUENCE{

owfAlgorithmIdentifierOPTIONAL,

--MUSTbepresentinthefirstChallenge;MAYbeomittedinany--subsequentChallengeinPOPODecKeyChallContent(ifomitted,--thentheowfusedintheimmediatelyprecedingChallengeis--tobeused).witnessOCTETSTRING,

--theresultofapplyingtheone-wayfunction(owf)toa--randomly-generatedINTEGER,A.[Notethatadifferent--INTEGERMUSTbeusedforeachChallenge.]challengeOCTETSTRING

--theencryption(underthepublickeyforwhichthecert.--requestisbeingmade)ofRand,whereRandisspecifiedas--Rand::=SEQUENCE{--intINTEGER,

---therandomly-generatedINTEGERA(above)

--senderGeneralName

---thesender’sname(asincludedinPKIHeader)

--}

}

POPODecKeyRespContent::=SEQUENCEOFINTEGER

--OneINTEGERperencryptionkeycertificationrequest(inthe--sameorderastheserequestsappearinCertReqMessages).The--retrievedINTEGERA(above)isreturnedtothesenderofthe--correspondingChallenge.

CertRepMessage::=SEQUENCE{

caPubs[1]SEQUENCESIZE(1..MAX)OFCertificateOPTIONAL,responseSEQUENCEOFCertResponse}

CertResponse::=SEQUENCE{

certReqIdINTEGER,

--tomatchthisresponsewithcorrespondingrequest(avalue--of-1istobeusedifcertReqIdisnotspecifiedinthe--correspondingrequest)statusPKIStatusInfo,certifiedKeyPairCertifiedKeyPairOPTIONAL,rspInfoOCTETSTRINGOPTIONAL

--analogoustotheid-regInfo-asciiPairsOCTETSTRINGdefined--forregInfoinCertReqMsg[CRMF]}

CertifiedKeyPair::=SEQUENCE{

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)45

certOrEncCertCertOrEncCert,privateKey[0]EncryptedValue

OPTIONAL,publicationInfo[1]PKIPublicationInfoOPTIONAL

}

CertOrEncCert::=CHOICE{

certificate[0]Certificate,encryptedCert[1]EncryptedValue}

KeyRecRepContent::=SEQUENCE{

statusPKIStatusInfo,newSigCert[0]CertificateOPTIONAL,caCerts[1]SEQUENCESIZE(1..MAX)OF

Certificate

OPTIONAL,keyPairHist[2]SEQUENCESIZE(1..MAX)OF

CertifiedKeyPair

OPTIONAL

}

RevReqContent::=SEQUENCEOFRevDetails

RevDetails::=SEQUENCE{

certDetailsCertTemplate,

--allowsrequestertospecifyasmuchastheycanabout--thecert.forwhichrevocationisrequested

--(e.g.,forcasesinwhichserialNumberisnotavailable)revocationReasonReasonFlagsOPTIONAL,--thereasonthatrevocationisrequestedbadSinceDateGeneralizedTimeOPTIONAL,--indicatesbestknowledgeofsendercrlEntryDetailsExtensionsOPTIONAL--requestedcrlEntryExtensions}

RevRepContent::=SEQUENCE{

statusSEQUENCESIZE(1..MAX)OFPKIStatusInfo,--insameorderaswassentinRevReqContent

revCerts[0]SEQUENCESIZE(1..MAX)OFCertIdOPTIONAL,

--IDsforwhichrevocationwasrequested(sameorderasstatus)crls[1]SEQUENCESIZE(1..MAX)OFCertificateListOPTIONAL--theresultingCRLs(theremaybemorethanone)}

CAKeyUpdAnnContent::=SEQUENCE{

oldWithNewCertificate,--oldpubsignedwithnewprivnewWithOldCertificate,--newpubsignedwitholdprivnewWithNewCertificate--newpubsignedwithnewpriv}

CertAnnContent::=CertificateRevAnnContent::=SEQUENCE{

statusPKIStatus,certIdCertId,

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)46

willBeRevokedAtGeneralizedTime,badSinceDateGeneralizedTime,crlDetailsExtensionsOPTIONAL

--extraCRLdetails(e.g.,crlnumber,reason,location,etc.)

}

CRLAnnContent::=SEQUENCEOFCertificateListPKIConfirmContent::=NULL

InfoTypeAndValue::=SEQUENCE{

infoTypeOBJECTIDENTIFIER,infoValueANYDEFINEDBYinfoTypeOPTIONAL}

--ExampleInfoTypeAndValuecontentsinclude,butarenotlimitedto:--{CAProtEncCert={id-it1},Certificate}--{SignKeyPairTypes={id-it2},SEQUENCEOFAlgorithmIdentifier}--{EncKeyPairTypes={id-it3},SEQUENCEOFAlgorithmIdentifier}--{PreferredSymmAlg={id-it4},AlgorithmIdentifier}--{CAKeyUpdateInfo={id-it5},CAKeyUpdAnnContent}--{CurrentCRL={id-it6},CertificateList}--where{id-it}={id-pkix4}={13615574}

--ThisconstructMAYalsobeusedtodefinenewPKIXCertificate--ManagementProtocolrequestandresponsemessages,orgeneral---purpose(e.g.,announcement)messagesforfutureneedsorfor--specificenvironments.

GenMsgContent::=SEQUENCEOFInfoTypeAndValue

--MaybesentbyEE,RA,orCA(dependingonmessagecontent).

--TheOPTIONALinfoValueparameterofInfoTypeAndValuewilltypically--beomittedforsomeoftheexamplesgivenabove.Thereceiveris--freetoignoreanycontainedOBJ.IDsthatitdoesnotrecognize.--IfsentfromEEtoCA,theemptysetindicatesthattheCAmaysend--any/allinformationthatitwishes.

GenRepContent::=SEQUENCEOFInfoTypeAndValue

--ThereceiverisfreetoignoreanycontainedOBJ.IDsthatitdoes--notrecognize.

ErrorMsgContent::=SEQUENCE{

pKIStatusInfoPKIStatusInfo,errorCodeINTEGEROPTIONAL,--implementation-specificerrorcodeserrorDetailsPKIFreeTextOPTIONAL--implementation-specificerrordetails}

--Thefollowingdefinitionisprovidedforcompatibilityreasonswith--1988and1993ASN.1compilerswhichallowtheuseofUNIVERSALclass--tags(notapartofformalASN.1);1997andsubsequentcompilers--SHOULDcommentoutthisline.

UTF8String::=[UNIVERSAL12]IMPLICITOCTETSTRING

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)47

END

DRegistrationofMIMETypeforSection5

To:ietf-types@iana.orgSubject:RegistrationofMIMEmediatypeapplication/pkixcmp

MIMEmediatypename:applicationMIMEsubtypename:pkixcmpRequiredparameters:-Optionalparameters:-Encodingconsiderations:Contentmaycontainarbitraryoctetvalues(theASN.1DERencodingofaPKImessage,asdefinedintheIETFPKIXWorkingGroupspecifications).base64encodingisrequiredforMIMEe-mail;noencodingisnecessaryforHTTP.

Securityconsiderations:ThisMIMEtypemaybeusedtotransportPublic-KeyInfrastructure(PKI)messagesbetweenPKIentities.ThesemessagesaredefinedbytheIETFPKIXWorkingGroupandareusedtoestablishandmaintainanInternetX.509PKI.ThereisnorequirementforspecificsecuritymechanismstobeappliedatthislevelifthePKImessagesthemselvesareprotectedasdefinedinthePKIXspecifications.

Interoperabilityconsiderations:-Publishedspecification:thisdocument

Applicationswhichusethismediatype:Applicationsusingcertificatemanagement,operational,orancillaryprotocols(asdefinedbytheIETFPKIXWorkingGroup)tosendPKImessagesviaE-MailorHTTP.

Additionalinformation:

Magicnumber(s):-Fileextension(s):”.PKI”MacintoshFileTypeCode(s):-Personandemailaddresstocontactforfurtherinformation:CarlisleAdams,cadams@entrust.comIntendedusage:COMMON

Author/Changecontroller:CarlisleAdams

FullCopyrightStatement

Copyright(C)TheInternetSociety(1999).AllRightsReserved.

Thisdocumentandtranslationsofitmaybecopiedandfurnishedtoothers,andderivativeworksthatcommentonorotherwiseexplainitorassistinitsimplementationmaybeprepared,copied,publishedanddistributed,inwholeorinpart,withoutrestrictionofanykind,providedthattheabovecopyrightnoticeandthisparagraphareincludedonallsuchcopiesandderivativeworks.However,thisdocumentitselfmaynotbemodifiedinanyway,suchasbyremovingthecopyrightnoticeorreferencestotheInternetSocietyorotherInternetorganizations,exceptasneededforthepurposeofdevelopingInternetstandardsinwhichcasetheproceduresforcopyrightsdefinedintheInternetStandardsprocessmustbefollowed,orasrequiredtotranslateitintolanguagesotherthanEnglish.

ThelimitedpermissionsgrantedaboveareperpetualandwillnotberevokedbytheInternetSocietyoritssucces-sorsorassigns.

Thisdocumentandtheinformationcontainedhereinisprovidedonan”ASIS”basisandTHEINTERNETSO-CIETYANDTHEINTERNETENGINEERINGTASKFORCEDISCLAIMSALLWARRANTIES,EXPRESSORIMPLIED,INCLUDINGBUTNOTLIMITEDTOANYWARRANTYTHATTHEUSEOFTHEINFORMATIONHEREINWILLNOTINFRINGEANYRIGHTSORANYIMPLIEDWARRANTIESOFMERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.

convertedintoPDFformatbyFutureSystems,Inc.(http://www.future.co.kr)48