<?xmlversion='1.0' encoding='utf-8'?>version="1.0" encoding="UTF-8"?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.4.2 --> <?rfc toc="yes"?> <?rfc sortrefs="yes"?> <?rfc symrefs="yes"?><rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-lamps-rfc7299-update-02" number="9158" submissionType="IETF" category="info" consensus="true" updates="7299" obsoletes=""submissionType="IETF"xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true" version="3"><!-- xml2rfc v2v3 conversion 3.10.0 --><front> <title abbrev="CRMF Algorithm Requirements Update">Update to the Object Identifier Registry for the PKIX Working Group</title> <seriesInfoname="Internet-Draft" value="draft-ietf-lamps-rfc7299-update-02"/>name="RFC" value="9158"/> <author initials="R." surname="Housley" fullname="Russ Housley"> <organization abbrev="Vigil Security">Vigil Security, LLC</organization> <address> <postal> <street>516 Dranesville Road</street><city>Herndon, VA</city><city>Herndon</city> <region>VA</region> <code>20170</code><country>US</country><country>United States of America</country> </postal> <email>housley@vigilsec.com</email> </address> </author> <date year="2021"month="October" day="07"/>month="November"/> <area>Security</area><keyword>Internet-Draft</keyword><keyword>Certificate Request Message Format</keyword> <keyword>CRMF</keyword> <keyword>CRMF Registration Controls</keyword> <keyword>Alternate Certificate Formats</keyword> <abstract> <t>RFC 7299 describes the object identifiers that were assigned byPublic-Keythe Public Key Infrastructure using X.509 (PKIX) Working Group in an arc that was allocated by IANA (1.3.6.1.5.5.7). A small number of object identifiers that were assigned in RFC 4212 are omitted from RFC 7299, and this document updates RFC 7299 to correct that oversight.</t> </abstract> </front> <middle> <section anchor="intro" numbered="true" toc="default"> <name>Introduction</name> <t>When thePublic-KeyPublic Key Infrastructure using X.509 (PKIX) Working Group was chartered, an object identifier arc was allocated by IANA for use by that working group. After the PKIX Working Group was closed, <xref target="RFC7299"format="default"/>sectionFormat="bare">RFC 7299</xref> was published to describe the object identifiers that were assigned in that arc. A small number of object identifiers that were assigned inRFC 4212<xref target="RFC4212"format="default"/>sectionFormat="bare">RFC 4212</xref> are not included in RFC 7299, and this document corrects that oversight.</t> <t>The PKIX Certificate Management Protocol (CMP) <xref target="RFC4210" format="default"/> allocated id-regCtrl-altCertTemplate (1.3.6.1.5.5.7.5.1.7), and then two object identifiers were assigned within that arc <xref target="RFC4212" format="default"/>, which were intended to be used with either PKIX CMP <xref target="RFC4210" format="default"/> or PKIX Certificate Management over CMS (CMC) <xref target="RFC5272" format="default"/> <xref target="RFC5273" format="default"/> <xref target="RFC5274" format="default"/> <xref target="RFC6402" format="default"/>.</t> <t>This document describes the object identifiers that were assigned in that arc,establishedestablishes an IANA registry for that arc, and establishes IANA allocation policies for any future assignments within that arc.</t> </section> <section anchor="iana-considerations" numbered="true" toc="default"> <name>IANA Considerations</name> <t>IANAis asked to create one additional registry table.</t>has created a new subregistry.</t> <section anchor="smi-security-for-pkix-crmf-registration-controls-for-alternate-certificate-formats-registry" numbered="true" toc="default"> <name>"SMI Security for PKIX CRMF Registration Controls for Alternate Certificate Formats" Registry</name> <t>Within theSMI-numbers"Structure of Management Information (SMI) Numbers (MIB Module Registrations)" registry,anIANA has created the "SMI Security for PKIX CRMF Registration Controls for Alternate Certificate Formats" subregistry (1.3.6.1.5.5.7.5.1.7). The initial contents of this subregistry are as follows:</t> <table anchor="table"> <name>New SMI Security for PKIX CRMF Registration Controls for Alternate Certificate Formats(1.3.6.1.5.5.7.5.1.7)" table with three columns has been added:</t> <artwork name="" type="" align="left" alt=""><![CDATA[ Decimal Description References ------- ------------------------------ ---------- 1 id-acTemplate [RFC4212] 2 id-openPGPCertTemplateExt [RFC4212] ]]></artwork>Subregistry</name> <thead> <tr> <th>Decimal</th> <th>Description</th> <th>References</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>id-acTemplate</td> <td><xref target="RFC4212"/></td> </tr> <tr> <td>2</td> <td>id-openPGPCertTemplateExt</td> <td><xref target="RFC4212"/></td> </tr> </tbody> </table> <t>Future updates to the registry table are to be made according to the Specification Required policyasdefined in <xref target="RFC8126" format="default"/>. The expert is expected to ensure that any new values are strongly related to the work that was done by the PKIX Working Group. In particular, additional object identifiers should be needed for use with either the PKIX CMP or PKIX CMC to support alternative certificate formats. Object identifiers for other purposes should not be assigned in this arc.</t> </section> </section> <section anchor="security-considerations" numbered="true" toc="default"> <name>Security Considerations</name> <t>This document populates an IANA registry, and it raises no new security considerations. The protocols that specify these values include the security considerations associated with their usage.</t> </section> </middle> <back> <references> <name>References</name> <references> <name>Normative References</name><reference anchor="RFC8126" target="https://www.rfc-editor.org/info/rfc8126" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"> <front> <title>Guidelines for Writing an IANA Considerations Section in RFCs</title> <author initials="M." surname="Cotton" fullname="M. Cotton"> <organization/> </author> <author initials="B." surname="Leiba" fullname="B. Leiba"> <organization/> </author> <author initials="T." surname="Narten" fullname="T. Narten"> <organization/> </author> <date year="2017" month="June"/> <abstract> <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t> <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t> <t>This is the third edition of this document; it obsoletes RFC 5226.</t> </abstract> </front> <seriesInfo name="BCP" value="26"/> <seriesInfo name="RFC" value="8126"/> <seriesInfo name="DOI" value="10.17487/RFC8126"/> </reference> <reference anchor="RFC7299" target="https://www.rfc-editor.org/info/rfc7299" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7299.xml"> <front> <title>Object Identifier Registry for the PKIX Working Group</title> <author initials="R." surname="Housley" fullname="R. Housley"> <organization/> </author> <date year="2014" month="July"/> <abstract> <t>When the Public-Key Infrastructure using X.509 (PKIX) Working Group was chartered, an object identifier arc was allocated by IANA for use by that working group. This document describes the object identifiers that were assigned in that arc, returns control of that arc to IANA, and establishes IANA allocation policies for any future assignments within that arc.</t> </abstract> </front> <seriesInfo name="RFC" value="7299"/> <seriesInfo name="DOI" value="10.17487/RFC7299"/> </reference><xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7299.xml"/> </references> <references> <name>Informative References</name><reference anchor="RFC4210" target="https://www.rfc-editor.org/info/rfc4210" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4210.xml"> <front> <title>Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)</title> <author initials="C." surname="Adams" fullname="C. Adams"> <organization/> </author> <author initials="S." surname="Farrell" fullname="S. Farrell"> <organization/> </author> <author initials="T." surname="Kause" fullname="T. Kause"> <organization/> </author> <author initials="T." surname="Mononen" fullname="T. Mononen"> <organization/> </author> <date year="2005" month="September"/> <abstract> <t>This document describes the Internet X.509 Public Key Infrastructure (PKI) Certificate Management Protocol (CMP). Protocol messages are defined for X.509v3 certificate creation and management. CMP provides on-line interactions between PKI components, including an exchange between a Certification Authority (CA) and a client system. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4210"/> <seriesInfo name="DOI" value="10.17487/RFC4210"/> </reference> <reference anchor="RFC4212" target="https://www.rfc-editor.org/info/rfc4212" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4212.xml"> <front> <title>Alternative Certificate Formats for the Public-Key Infrastructure Using X.509 (PKIX) Certificate Management Protocols</title> <author initials="M." surname="Blinov" fullname="M. Blinov"> <organization/> </author> <author initials="C." surname="Adams" fullname="C. Adams"> <organization/> </author> <date year="2005" month="October"/> <abstract> <t>The Public-Key Infrastructure using X.509 (PKIX) Working Group of the Internet Engineering Task Force (IETF) has defined a number of certificate management protocols. These protocols are primarily focused on X.509v3 public-key certificates. However, it is sometimes desirable to manage certificates in alternative formats as well. This document specifies how such certificates may be requested using the Certificate Request Message Format (CRMF) syntax that is used by several different protocols. It also explains how alternative certificate formats may be incorporated into such popular protocols as PKIX Certificate Management Protocol (PKIX-CMP) and Certificate Management Messages over CMS (CMC). This memo provides information for the Internet community.</t> </abstract> </front> <seriesInfo name="RFC" value="4212"/> <seriesInfo name="DOI" value="10.17487/RFC4212"/> </reference> <reference anchor="RFC5272" target="https://www.rfc-editor.org/info/rfc5272" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5272.xml"> <front> <title>Certificate Management over CMS (CMC)</title> <author initials="J." surname="Schaad" fullname="J. Schaad"> <organization/> </author> <author initials="M." surname="Myers" fullname="M. Myers"> <organization/> </author> <date year="2008" month="June"/> <abstract> <t>This document defines the base syntax for CMC, a Certificate Management protocol using the Cryptographic Message Syntax (CMS). This protocol addresses two immediate needs within the Internet Public Key Infrastructure (PKI) community:</t> <t>1. The need for an interface to public key certification products and services based on CMS and PKCS #10 (Public Key Cryptography Standard), and</t> <t>2. The need for a PKI enrollment protocol for encryption only keys due to algorithm or hardware design.</t> <t>CMC also requires the use of the transport document and the requirements usage document along with this document for a full definition. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5272"/> <seriesInfo name="DOI" value="10.17487/RFC5272"/> </reference> <reference anchor="RFC5273" target="https://www.rfc-editor.org/info/rfc5273" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5273.xml"> <front> <title>Certificate Management over CMS (CMC): Transport Protocols</title> <author initials="J." surname="Schaad" fullname="J. Schaad"> <organization/> </author> <author initials="M." surname="Myers" fullname="M. Myers"> <organization/> </author> <date year="2008" month="June"/> <abstract> <t>This document defines a number of transport mechanisms that are used to move CMC (Certificate Management over CMS (Cryptographic Message Syntax)) messages. The transport mechanisms described in this document are HTTP, file, mail, and TCP. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5273"/> <seriesInfo name="DOI" value="10.17487/RFC5273"/> </reference> <reference anchor="RFC5274" target="https://www.rfc-editor.org/info/rfc5274" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5274.xml"> <front> <title>Certificate Management Messages over CMS (CMC): Compliance Requirements</title> <author initials="J." surname="Schaad" fullname="J. Schaad"> <organization/> </author> <author initials="M." surname="Myers" fullname="M. Myers"> <organization/> </author> <date year="2008" month="June"/> <abstract> <t>This document provides a set of compliance statements about the CMC (Certificate Management over CMS) enrollment protocol. The ASN.1 structures and the transport mechanisms for the CMC enrollment protocol are covered in other documents. This document provides the information needed to make a compliant version of CMC. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5274"/> <seriesInfo name="DOI" value="10.17487/RFC5274"/> </reference> <reference anchor="RFC6402" target="https://www.rfc-editor.org/info/rfc6402" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6402.xml"> <front> <title>Certificate Management over CMS (CMC) Updates</title> <author initials="J." surname="Schaad" fullname="J. Schaad"> <organization/> </author> <date year="2011" month="November"/> <abstract> <t>This document contains a set of updates to the base syntax for CMC, a Certificate Management protocol using the Cryptographic Message Syntax (CMS). This document updates RFC 5272, RFC 5273, and RFC 5274.</t> <t>The new items in this document are: new controls for future work in doing server side key generation, definition of a Subject Information Access value to identify CMC servers, and the registration of a port number for TCP/IP for the CMC service to run on. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6402"/> <seriesInfo name="DOI" value="10.17487/RFC6402"/> </reference><xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4210.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4212.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5272.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5273.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5274.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6402.xml"/> </references> </references> </back><!-- ##markdown-source: H4sIAGMdX2EAA51WbW8TORD+7l8xgi8gdaMk9OWaT1eFK1TQI2p5kxA6Od5J 4qvX3rO9LREqv/1mbCdNmpY7sbTU67VnHj/zzIyrqhJRR4Mj+NDWMiJEB3GB 8G76N6oIZzXaqGcaPVzgXIfolzBzPi2ZvDn7DJ+cv9J2Dq+861ohp1OP1yMY X5yfwomZO6/joqGt/3TaY0O2QvEjaqesbMhv7eUsVhrjrDKyaUPlZ+poeHxc dWlh1R8K/juCYX84qAb9qn8kFE2Q8eUItJ05kVeGEfA+oZwNaENH79F3KHTr 0yjEYb9/TOakRzmCS1QdwVuKK1zeOF+P4MxG9BZj9ZIhCRGitPVf0jhL3q0T rR7Bl+jUHgTno8dZoNGy4cFXIWQXF86PBFQC6NGW/F/04LXrgsFlmssHvuhC 2Jp2fj6Cj3quzRrUHrx9O04fV5Ruf0+fKBqIcQQHg0MgyBbDtTYG4cLJOi1Q tHIEr+lQtbN78PEkz7o6sTk46pf3zkbm8sNlesdGajOCRUb4+zU7Dqh6yjVC WOcbGfU10kHh4nT822B4WIZM/khwQLaX7A8H/bvhsAwPhkcbwxd3w/0yPNzv 0wJRVRVxQEeVikJC8ynIUGNQXk8xJCm6rFa9VitPywg36BFkCHpusYbpUky6 qdGqeoNLivbMS7LbqdjRqi6wjD/3DvrH8Iyl/Xxb2xRQkPTjlcimZQBpjGMp smk4O/nzBJ4Nei96h71B74D+HT3vAZxAaGgd2K6ZUha5WQEr/gMsuePDMmPk lI7Y6MieZt41sKJhT5BCabcOQPnUcYJBSYb1Gs5o5bxngpIfd00u9XwRe5nd Rte1QSGekv69q4kP7Sx8f6r59VaITwu0OeF/mTzBbKmF9JRgWO8xkTshY2of YZUrThdQ0Htmqties23meEZ2H6lJyaQyLpBf8f170entbZpv+URhQa6IpJWk fqYosROkBIig/yTU/8PKOtQJIY8IIYfdOtpulenqu4Up8sRhLbYjX6IcdsP8 fkXNGD0DYXrhXFo5T0UZJt5RXXMGno3PJ8/XIPoMYhUNEmzlcT6O3lTSRLb0 HpvWsKlt2dPvgMSfIDKZRNKNe0j22zTcUK/YIHSTij24WWi1SBuowkS0dY7Z lLVX9gLSf8R7Puj5ZOsYzu8QIDYIYLJozyUTMC4EcIWinavxi43x/mrMRer2 NjG8GYlfqU7l6NSdqMEg9Z6VNClZUhb47QacWcok3y0Paa0oUeNEbh0lraYP vE1a2t6lnM2Oc0++R32PiwG7HFMrJdg+WQpCpEk6qAxXmX9FrZTiTx0SZF1r XibNHVJGhWzt6ZPL87N190pQcjj4olBuFhkuuaSyYzLcE8MdmT1sCvc0NZjw ZH0loRq1OgACOapyBoY1kFRxfgJB/CKEh4X/RKRzZ1HGBTVpSk3TNTbAgorO FCkjiC2sqb39+PEjNV2Al6g0lQ8esHjaBOWh5wJnJByrMJSdVX7Wg0eeze9l 52Blk3JbqnU67z5fSip+LRuHGxtdi3byarJZEP74Fnc28knFadbeqkeVy+a2 XlLdy7ndyJpeFRW2mgt6Xi4uW6IqBYIpKpfLOgt9Sdqk9JvpklIpS/mSQlkK wHUQv7WElFQseKRiFjJfGNltygBKEos3cC1NRyAZDqFzdm6WBNXIsoWRcye6 uw/UnAepST3Uicj/GaUjNUGtOiP93mbKPFAdA93ATM00WESud6UNbhW7tSsu eGtJn48JoAhd29JFlUp4ljBdyUBtiDhf1ALherdbodiZSy7azrfUPoMogLgl Te8XLi4KuXCsM+x+8dguka1rO5NEcL++5ZKmI3ipyS3542iIsLKrtuyWqLal g5XSGpJEUiSIsBxIUfpo4uwRa3wqp3QKcUlf1Mw6NYpyXZpKdSX+BTFIGFA4 DQAA --></rfc>