Secure Object Delivery Protocol (SODP) Server Interfaces: NSA's Profile for Delivery of Certificates, Certificate Revocation Lists (CRLs), and Symmetric Keys to ClientsNational Security Agencymjjenki@cyber.nsa.govsn3rdsean@sn3rd.comCNSANSS
This document specifies protocol interfaces profiled by the United States National Security Agency (NSA) for National Security System (NSS) servers that provide public key certificates, Certificate Revocation Lists (CRLs), and symmetric keys to NSS clients.
Servers that support these interfaces are referred to as Secure
Object Delivery Protocol (SODP) servers. The intended audience for this
profile comprises developers of client devices that will obtain key
management services from NSA-operated SODP servers. Interfaces
supported by SODP servers include Enrollment over Secure
Transport (EST) and its extensions as well as Certificate Management
over CMS (CMC).
This profile applies to the capabilities, configuration, and operation of
all components of US National Security Systems (SP 800-59). It is also
appropriate for other US Government systems that process high-value
information. It is made publicly available for use by developers and
operators of these and any other system deployments.Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any
other RFC stream. The RFC Editor has chosen to publish this
document at its discretion and makes no statement about its value
for implementation or deployment. Documents approved for
publication by the RFC Editor are not candidates for any level of
Internet Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document.
Table of Contents
Introduction
This document specifies protocol interfaces profiled by the United States National Security Agency (NSA) for National Security
System (NSS) servers that provide public key certificates, Certificate Revocation Lists (CRLs), and symmetric keys to NSS clients.
Servers that support these interfaces are referred to as Secure
Object Delivery Protocol (SODP) servers. The purpose of this document is
to indicate options from, and requirements in addition to, the base
specifications listed in that are necessary for client
interoperability with NSA-operated SODP servers. Clients are always
devices and need not implement all of the interfaces specified
herein; clients are free to choose which interfaces to implement
based on their operational requirements. Interfaces supported by
SODP servers include:
Enrollment over Secure Transport (EST) and its
extensions , and
Certificate Management over CMS (CMC) for both Simple Public Key
Infrastructure (PKI) requests and responses (i.e., PKCS#10 requests
and PKCS#7 responses) and Full PKI requests and responses.
This profile applies to the capabilities, configuration, and operation of
all components of US National Security Systems . It is also
appropriate for other US Government systems that process high-value
information. It is made publicly available for use by developers and
operators of these and any other system deployments.
This profile conforms to the existing requirements of the NSA's
Commercial National Security Algorithms (CNSAs). As operational needs evolve
over time, this profile will be updated to incorporate new commercial
algorithms and protocols as they are developed and approved for use.Documents to be Familiar WithFamiliarity with the follow specifications is assumed:
CMS-related (Cryptographic Message Syntax) documents: and
CNSA-related documents: , , , and
The requirements from RFCs apply throughout this profile and are
generally not repeated here. This document is purposely written
without using the requirements language described in and .Document Organization The document is organized as follows:
The remainder of this section describes the operational
environment used by clients to retrieve secure objects.
specifies the Abstract Syntax Notation One (ASN.1) version used.
Sections and specify Relying Party Applications and CRL Profile, respectively.
Environment
Clients obtain
secure "objects" or "packages" from the client-server-based environment. Objects/packages vary based on the
Source of Authority (SOA), but all objects are "secured" minimally
through the use of one or more digital signatures and zero or more
layers of encryption, as profiled in this document. An SOA is the
authority for the creation of objects that the client will recognize
as valid. An SOA can delegate its authority to other actors;
delegation occurs through the issuance of certificates. An object or
package is the generic term for certificates, certificate status
information, and keys (both asymmetric and symmetric). All of the
objects except for the certificates and certificate status
information are directly encapsulated in and protected by CMS content
types. CMS content types that provide security are referred to as
"CMS-protecting content types". All others are simply referred to as
"CMS content types". All secured objects are distributed either as CMS
packages or as part of a CMS package.
In the example depicted in , there are two SOAs:
one for symmetric keys, as depicted by the Key Trust Anchor (KTA),
and one for public key certificates, as depicted by the PKI Trust
Anchor (TA). The KTA is responsible for the creation and distribution of
symmetric keys. The KTA delegates the creation and distribution
responsibilities to separate entities through the issuance of
certificates to a Key Source Authority (KSA) and a Key
Distribution Authority (KDA). The KSA generates the keys, digitally signs
the keys, and encrypts the key for the end client using CMS content
types for each step. The KDA distributes the KSA-generated and KSA-protected key to the client; the key may also be signed by the KDA.
The resulting CMS package is provided to the client through the EST
extension's /symmetrickey service. The PKI TA is responsible for the
creation, distribution, and management of public key certificates.
The PKI TA delegates these responsibilities to Certification
Authorities (CAs), and CAs, in turn, are responsible for creating,
distributing, and managing End-Entity (EE) certificates. CAs
distribute PKI-related information through the /cacerts, /crls,
/eecerts, /fullcmc, /simpleenroll, /simplereenroll, and /csrattrs EST
and EST extension services.
For clients that support the CMC interface and not the EST interface,
the environment includes only the PKI TAs.Abstract Syntax Notation One
Implementations of this specification use the 2002/2008
ASN.1 version; 2002/2008 ASN.1 modules can be found in
, , and (use for the CMS syntax), while other specifications already include the 2002/2008 ASN.1 along
with the 1988 ASN.1. See for a discussion
about the differences between the 2002 and 2008 ASN.1 versions.EST Interface
Client options for EST and EST extensions are
specified in this section.Hypertext Transfer Protocol Layer
Clients that receive redirection responses (3xx status codes) will
terminate the connection ().
Per , clients indicate the format
("application/xml" or "application/json") of the PAL information
() via the HTTP Accept header.Transport Layer Security
TLS implementations are configured as specified in
; the notable exception is that only EC-based
algorithms are used.Eligibility
At the EST interface, servers only enroll clients that they have
established a prior relationship with independently of
the EST service. To accomplish this, client owners/operators
interact in person with the human acting as the Registration
Authority (RA) to ensure the information included in the transmitted
certificate request, which is sometimes called a Certificate
Signing Request (CSR), is associated with a client. The mechanism by
which the owner/operator interacts with the RA as well as
the information provided is beyond the scope of this document. The
information exchanged by the owner/operator might be something as
simple as the subject name included in the CSR to be sent or a copy
of the certificate that will be used to verify the certificate
request, which is provided out of band.Authentication
Mutual authentication occurs via "Certificate TLS Authentication"
(). Clients provide their certificate to
servers in the TLS Certificate message, which is sent in response to
the server's TLS Certificate Request message. Both servers and
clients reject all attempts to authenticate based on certificates
that cannot be validated back to an installed TA.Authorization
Clients always use an explicit TA database (). At a minimum, clients support two TAs: one for the PKI and
one for symmetric keys.
Clients check that the server's certificate includes the id-kp-cmcRA
Extended Key Usage (EKU) value ().
Clients that support processing of the CMS Content Constraints extension
ensure returned CMS content is from an SOA or an
entity authorized by an SOA for that CMS content; see for
SOA certificates.EST and EST Extensions
This section profiles SODP's interfaces for EST and EST extensions
./pal
The Package Availability List (PAL) is limited to 32 entries, where
the 32nd PAL entry links to an additional PAL (i.e., PAL Package
Type 0001).
The PAL is XML ./cacerts
The CA certificates located in the explicit TA database are
distributed to the client when it is registered. This TA
distribution mechanism is out of scope.
CA certificates provided through this service are as specified in
Sections and of this document./simpleenroll
CSRs follow the specifications in ,
except that the CMC-specific ChangeSubjectName and
the POP Link Witness V2 attributes do not apply. Only
EC-based algorithms are used.
Client certificates provided through this service are as specified in
of this document.
The HTTP content type of "text/plain" () is
used to return human-readable errors./simplereenroll
There are no additional requirements for requests beyond those
specified in Sections and of this document.
The HTTP content type of "text/plain" () is
used to return human-readable errors./fullcmc
Requests are as specified in with the notable
exception that only EC-based algorithms are used.
Additional attributes for returned CMS packages can be found in
.
Certificates provided through this service are as specified in
of this document./serverkeygen
PKCS#12 -- sometimes referred to as "PFX" (Personal
Information Exchange) or "P12" -- is used to
provide server-generated asymmetric private keys and the associated
certificate to clients. This interface is a one-way interface as the
RA requests these from the server.
PFXs are exchanged using both password privacy mode and
integrity password mode. The PRF algorithm for PBKDF2 (the KDF for
PBES2 and PBMAC1) is HMAC-SHA-384, and the PBES2 encryption scheme is
AES-256.
The HTTP content type of "text/plain" () is
used to return human-readable errors.
/serverkeygen/return is not supported at this time./csrattrs
Clients use this service to retrieve partially filled PKIRequests
with no public key or proof-of-possession signature,
i.e., their values are set to zero length, either a zero length BIT
STRING or OCTET STRING. The pKCS7PDU attribute, defined in
, includes the partially filled PKIRequest as the only
element in the CsrAttrs sequence. Even though the CsrAttrs syntax is
defined as a set, there is only ever exactly one instance of values
present./crls
CRLs provided through this service are as specified in of
this document./symmetrickeys
Clients that claim to support SODP interoperation will be able to process
the following messages from an SODP server:
additional encryption and origin
authentication (); and
server-provided Symmetric Key
Content Type encapsulated in an Encrypted Key Content Type using
the EnvelopedData choice with an SOA certificate that includes the
CMS Content Constraints extension (see ).
Client-supported algorithms to decrypt the server-returned symmetric
key are as follows:
Message Digest: See .
Digital Signature Algorithm: See .
Key Agreement: See .
Key Wrap: AES-256 Key Wrap with Padding is used. AES-128 Key Wrap with Padding is not
used.
Content Encryption: AES-256 Key Wrap with Padding is used. AES-128 Key Wrap with
Padding is not used.
/symmetrickeys/return is not used at this time./eecerts, /firmware, /tamp
/eecerts, /firmware, and /tamp are not used at this time.CMC Interface
Client options for CMC are specified in this section.RFC 5273 Transport Protocols
Clients only use the HTTPS-based transport. The TLS implementation
and configuration are as specified in , with the
notable exception that only EC-based algorithms are used.
Clients that receive HTTP redirection responses (3xx status codes)
will terminate the connection ().Eligibility
At the CMC interface, servers only enroll clients that they have
established a prior relationship with independently of
the EST service. To accomplish this, client owners/operators
interact in person with the human acting as the Registration
Authority (RA) to ensure the information included in the transmitted
certificate request, which is sometimes called a Certificate
Signing Request (CSR), is associated with a client. The mechanism by
which the owner/operator interacts with the RA as well as the
information provided is beyond the scope of this document. The
information exchanged by the owner/operator might be something as
simple as the subject name included in the CSR to be sent or a copy
of the certificate that will be used to verify the certificate
request, which is provided out of band.Authentication
Mutual authentication occurs via client and server signing of CMC
protocol elements, as required by . All such
signatures are validated against an installed TA; any that fail
validation are rejected.Authorization
Clients support the simultaneous presence of as many TAs as are
required for all of the functions of the client, and only these TAs.
Clients check that the server's certificate includes the id-kp-cmcRA
Extended Key Usage (EKU) value ().
Clients that support processing of the CMS Content Constraints extension
ensure returned CMS content is from an SOA or an
entity authorized by an SOA for that CMS content; see for
SOA certificates.Full PKI Requests/Responses
Requests are as specified in with the notable
exception that only EC-based algorithms are used.
Additional attributes for returned CMS packages can be found in
.
Certificates provided through this service are as specified in of this document.Trust Anchor Profile
Clients are free to store the TA in the format of their choosing;
however, servers provide TA information in the form of self-signed CA
certificates. This section documents requirements for self-signed
certificates in addition to those specified in , which in
turn specifies requirements in addition to those in .
Only EC-based algorithms are used.
Issuer and subject names are composed of only the following naming
attributes: country name, domain component, organization name,
organizational unit name, common name, state or province name,
distinguished name qualifier, and serial number.
In the Subject Key Identifier extension, the keyIdentifier is the 64
low-order bits of the subject's subjectPublicKey field.
In the Key Usage extension, the nonRepudiation bit is never set.Non-Self-Signed Certification Authority Certificate Profile
This section documents requirements for non-self-signed CA
certificates in addition to those specified in , which in
turn specifies requirements in addition to those in .
Only EC-based algorithms are used.
Subject names are composed of only the following naming attributes:
country name, domain component, organization name, organizational
unit name, common name, state or province name, distinguished name
qualifier, and serial number.
In the Authority Key Identifier extension, the keyIdentifier choice
is always used. The keyIdentifier is the 64 low-order bits of the
issuer's subjectPublicKey field.
In the Subject Key Identifier extension, the keyIdentifier is the 64
low-order bits of the subject's subjectPublicKey field.
In the Key Usage extension, the nonRepudiation bit is never set.
The Certificate Policies extension is always included, and
policyQualifiers are never used.Non-self-signed CA certificates can also include the following:
Name Constraints:
permittedSubtrees constraints are
included, and excludedSubstree constraints are not. Of the
GeneralName choices, issuers support the following: rfc822Name,
dNSName, uniformResourceIdentifier, and iPAddress (both IPv4 and
IPv6) as well as hardwareModuleName, which is defined in . Note that rfc822Name, dNSName, and
uniformResourceIdentifier are defined as IA5 strings, and the
character sets allowed are not uniform amongst these three name
forms.
CRL Distribution Points:
A distributionPoint is
always the fullName choice. The uniformResourceIdentifier
GeneralName choice is always included, but others can also be used as
long as the first element in the sequence of CRLDistributionPoints
is the uniformResourceIdentifier choice. The reasons and cRLIssuer
fields are never populated. This extension is never marked as
critical.
Authority Information Access:
Only one instance of
AccessDescription is included. accessMethod is id-caIssuers, and
accessLocation's GeneralName is always the uniformResourceIdentifier
choice.
Extended Key Usage:
EST servers and RAs include the
id-kp-cmcRA EKU, and the CAs include the id-kp-cmcCA, which are both
specified in .
Issuers include the Authority Clearance Constraints extension in
non-self-signed CA certificates that are issued to non-SOAs; values for the
Certificate Policy (CP) Object Identifier (OID) and the supported classList
values are found in the issuer's CP. Criticality is determined by the
issuer, and a securityCategories is never included. Only one instance of
Clearance is generated in the AuthorityClearanceConstraints sequence.
Issuers include a critical CMS Content Constraints extension
in CA certificates used to issue SOA certificates;
this is necessary to enable enforcement of scope of the SOA
authority. The content types included depend on the packages the
SOA sources but include key packages (i.e., Encrypted Key Packages,
Symmetric Key Packages, and Asymmetric Key Packages).End-Entity Certificate Profile
This section documents requirements for EE signature and key
establishment certificates in addition to those listed in ,
which in turn specifies requirements in addition to those in
.
Only EC-based algorithms are used.
Subject names are composed of the following naming attributes:
country name, domain component, organization name, organizational
unit name, common name, state or province name, distinguished name
qualifier, and serial number.
In the Authority Key Identifier extension, the keyIdentifier choice
is always used. The keyIdentifier is the 64 low-order bits of the
issuer's subjectPublicKey field.
In the Subject Key Identifier extension, the keyIdentifier is the 64
low-order bits of the subject's subjectPublicKey field.
In the Key Usage extension, signature certificates only assert
digitalSignature, and key establishment certificates only assert
keyAgreement.
The Certificate Policies extension is always included, and
policyQualifiers are never used.
When included, the non-critical CRL Distribution Point extension's
distributionPoint is always identified by the fullName choice. The
uniformResourceIdentifier GeneralName choice is always included, but
others can also be used as long as the first element in the sequence
of distribution points is the URI choice and it is an HTTP/HTTPS
scheme. The reasons and cRLIssuer fields are never populated.
The following subsections provide additional requirements for the
different types of EE certificates.Source of Authority Certificate Profile
This section specifies the format for SOA certificates, i.e., certificates
issued to those entities that are authorized to create, digitally sign,
encrypt, and distribute packages; these certificates are issued by non-PKI
TAs.
The Subject Alternative Name extension is always included. The
following choices are supported: rfc822Name, dNSName, ediPartyName,
uniformResourceIdentifier, or iPAddress (both IPv4 and IPv6). This
extension is never critical.
A critical CMS Content Constraints extension is included in
SOA signature certificates. The content types included depend on the
packages the SOA sources (e.g., Encrypted Key Packages, Symmetric Key
Packages, and Asymmetric Key Packages).Client Certificate Profile
This section specifies the format for certificates issued to clients.
A non-critical Subject Directory Attributes extension is always
included with the following attributes:
Device Owner
Clearance Sponsor
Clearance
The following extensions are also included at the discretion of the
CA:
The Authority Information Access extension with only one instance of
AccessDescription included. accessMethod is id-caIssuers, and
accessLocation's GeneralName is always the uniformResourceIdentifier
choice.
A non-critical Subject Alternative Name extension that includes
the hardwareModuleName form , rfc822Name, or
uniformResourceIdentifier.
A critical Subject Alternative Name extension that includes
dNSName, rfc822Name, ediPartyName, uniformResourceIdentifier, or
iPAddress (both IPv4 and IPv6).
Relying Party Applications
This section documents requirements for Relying Parties (RPs) in
addition to those listed in , which in turn specifies
requirements in addition to those in .
Only EC-based algorithms are used.
RPs support the Authority Key Identifier and the Subject Key
Identifier extensions.
RPs should support the following extensions: CRL Distribution Points,
Authority Information Access, Subject Directory Attribute, Authority
Clearance Constraints, and CMS Content Constraints.
Within the Subject Directory Attribute extension, RPs should support
the Clearance Sponsor, Clearance, and Device Owner attributes.
RPs support the id-kp-cmcRA and id-kp-cmcCA EKUs.
Failure to support extensions in this section might limit the
suitability of a device for certain applications.CRL Profile
This section documents requirements for CRLs in addition to those
listed in , which in turn specifies requirements in addition
to those in .
Only EC-based algorithms are used.
Two types of CRLs are produced: complete base CRLs and partitioned
base CRLs.
crlEntryExtensions are never included, and the reasons and cRLIssuer
fields are never populated.All CRLs include the following CRL extensions:
The Authority Key Identifier extension: The keyIdentifier is the
64 low-order bits of the issuer's subjectPublicKey field.
As per , the CRL Number extension.
The only other extension included in partitioned base CRLs is the
Issuing Distribution Point extension. The distributionPoint is
always identified by the fullName choice. The
uniformResourceIdentifier GeneralName choice is always included, but
others can also be used as long as the first element in the sequence
of distribution points is the uniformResourceIdentifier choice and the
scheme is an HTTP/HTTPS scheme. All other fields are omitted.IANA Considerations
This document has no IANA actions.Security Considerations
This entire document is about security. This document profiles the
use of many protocols and services: EST, CMC, and PKCS#10/#7/#12 as
well as certificates, CRLs, and their extensions .
These have been cited throughout this document, and the
specifications identified by those citations should be consulted
for security considerations related to implemented protocols
and services.ReferencesNormative ReferencesMultipurpose Internet Mail Extensions (MIME) Part Two: Media TypesThis second document defines the general structure of the MIME media typing system and defines an initial set of media types. [STANDARDS-TRACK]PKCS #9: Selected Object Classes and Attribute Types Version 2.0This memo represents a republication of PKCS #9 v2.0 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document, except for the security considerations section, is taken directly from that specification. This memo provides information for the Internet community.PKCS #10: Certification Request Syntax Specification Version 1.7This memo represents a republication of PKCS #10 v1.7 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document, except for the security considerations section, is taken directly from the PKCS #9 v2.0 or the PKCS #10 v1.7 document. This memo provides information for the Internet community.Internet X.509 Public Key Infrastructure: Qualified Certificates ProfileThis document forms a certificate profile, based on RFC 3280, for identity certificates issued to natural persons. The profile defines specific conventions for certificates that are qualified within a defined legal framework, named Qualified Certificates. However, the profile does not define any legal requirements for such Qualified Certificates. The goal of this document is to define a certificate profile that supports the issuance of Qualified Certificates independent of local legal requirements. The profile is however not limited to Qualified Certificates and further profiling may facilitate specific local needs. [STANDARDS-TRACK]Using Cryptographic Message Syntax (CMS) to Protect Firmware PackagesThis document describes the use of the Cryptographic Message Syntax (CMS) to protect firmware packages, which provide object code for one or more hardware module components. CMS is specified in RFC 3852. A digital signature is used to protect the firmware package from undetected modification and to provide data origin authentication. Encryption is optionally used to protect the firmware package from disclosure, and compression is optionally used to reduce the size of the protected firmware package. A firmware package loading receipt can optionally be generated to acknowledge the successful loading of a firmware package. Similarly, a firmware package load error report can optionally be generated to convey the failure to load a firmware package. [STANDARDS-TRACK]Certificate Management Messages over CMS (CMC): Compliance RequirementsThis document provides a set of compliance statements about the CMC (Certificate Management over CMS) enrollment protocol. The ASN.1 structures and the transport mechanisms for the CMC enrollment protocol are covered in other documents. This document provides the information needed to make a compliant version of CMC. [STANDARDS-TRACK]Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) ProfileThis memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]Cryptographic Message Syntax (CMS)This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK]New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIMEThe Cryptographic Message Syntax (CMS) format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.Clearance Attribute and Authority Clearance Constraints Certificate ExtensionThis document defines the syntax and semantics for the Clearance attribute and the Authority Clearance Constraints extension in X.509 certificates. The Clearance attribute is used to indicate the clearance held by the subject. The Clearance attribute may appear in the subject directory attributes extension of a public key certificate or in the attributes field of an attribute certificate. The Authority Clearance Constraints certificate extension values in a Trust Anchor (TA), in Certification Authority (CA) public key certificates, and in an Attribute Authority (AA) public key certificate in a certification path for a given subject constrain the effective Clearance of the subject. [STANDARDS-TRACK]Elliptic Curve Private Key StructureThis document specifies the syntax and semantics for conveying Elliptic Curve (EC) private key information. The syntax and semantics defined herein are based on similar syntax and semantics defined by the Standards for Efficient Cryptography Group (SECG). This document is not an Internet Standards Track specification; it is published for informational purposes.Device Owner AttributeThis document defines the Device Owner attribute. It indicates the entity (e.g., company, organization, department, agency) that owns the device. This attribute may be included in public key certificates and attribute certificates. This document is not an Internet Standards Track specification; it is published for informational purposes.Clearance Sponsor AttributeThis document defines the clearance sponsor attribute. It indicates the entity that sponsored (i.e., granted) the clearance. This attribute is intended for use in public key certificates and attribute certificates that also include the clearance attribute. This document is not an Internet Standards Track specification; it is published for informational purposes.Asymmetric Key PackagesThis document defines the syntax for private-key information and a content type for it. Private-key information includes a private key for a specified public-key algorithm and a set of attributes. The Cryptographic Message Syntax (CMS), as defined in RFC 5652, can be used to digitally sign, digest, authenticate, or encrypt the asymmetric key format content type. This document obsoletes RFC 5208. [STANDARDS-TRACK]Algorithms for Asymmetric Key Package Content TypeThis document describes the conventions for using several cryptographic algorithms with the EncryptedPrivateKeyInfo structure, as defined in RFC 5958. It also includes conventions necessary to protect the AsymmetricKeyPackage content type with SignedData, EnvelopedData, EncryptedData, AuthenticatedData, and AuthEnvelopedData. [STANDARDS-TRACK]Cryptographic Message Syntax (CMS) Content Constraints ExtensionThis document specifies the syntax and semantics for the Cryptographic Message Syntax (CMS) content constraints extension. This extension is used to determine whether a public key is appropriate to use in the processing of a protected content. In particular, the CMS content constraints extension is one part of the authorization decision; it is used when validating a digital signature on a CMS SignedData content or validating a message authentication code (MAC) on a CMS AuthenticatedData content or CMS AuthEnvelopedData content. The signed or authenticated content type is identified by an ASN.1 object identifier, and this extension indicates the content types that the public key is authorized to validate. If the authorization check is successful, the CMS content constraints extension also provides default values for absent attributes. [STANDARDS-TRACK]Cryptographic Message Syntax (CMS) Symmetric Key Package Content TypeThis document defines the symmetric key format content type. It is transport independent. The Cryptographic Message Syntax (CMS) can be used to digitally sign, digest, authenticate, or encrypt this content type. [STANDARDS-TRACK]Cryptographic Message Syntax (CMS) Encrypted Key Package Content TypeThis document defines the Cryptographic Message Syntax (CMS) encrypted key package content type, which can be used to encrypt a content that includes a key package, such as a symmetric key package or an asymmetric key package. It is transport independent. CMS can be used to digitally sign, digest, authenticate, or further encrypt this content type. It is designed to be used with the CMS Content Constraints (CCC) extension, which does not constrain the EncryptedData, EnvelopedData, and AuthEnvelopedData. [STANDARDS-TRACK]Algorithms for Cryptographic Message Syntax (CMS) Encrypted Key Package Content TypeThis document describes the conventions for using several cryptographic algorithms with the Cryptographic Message Syntax (CMS) encrypted key package content type. Specifically, it includes conventions necessary to implement EnvelopedData, EncryptedData, and AuthEnvelopedData. [STANDARDS-TRACK]Algorithms for Cryptographic Message Syntax (CMS) Protection of Symmetric Key Package Content TypesThis document describes the conventions for using several cryptographic algorithms with the Cryptographic Message Syntax (CMS) to protect the symmetric key package content type. Specifically, it includes conventions necessary to implement SignedData, EnvelopedData, EncryptedData, and AuthEnvelopedData. [STANDARDS-TRACK]Elliptic Curve Algorithms for Cryptographic Message Syntax (CMS) Encrypted Key Package Content TypeThis document describes the conventions for using several Elliptic Curve cryptographic algorithms with the Cryptographic Message Syntax (CMS) encrypted key package content type. Specifically, it includes conventions necessary to implement Elliptic Curve Diffie-Hellman (ECDH) with EnvelopedData and Elliptic Curve Digital Signature Algorithm (ECDSA) with SignedData. This document extends RFC 6033. [STANDARDS-TRACK]Elliptic Curve Algorithms for Cryptographic Message Syntax (CMS) Asymmetric Key Package Content TypeThis document describes conventions for using Elliptic Curve cryptographic algorithms with SignedData and EnvelopedData to protect the AsymmetricKeyPackage content type. Specifically, it includes conventions necessary to implement Elliptic Curve Diffie-Hellman (ECDH) with EnvelopedData and Elliptic Curve Digital Signature Algorithm (ECDSA) with SignedData. This document extends RFC 5959. [STANDARDS-TRACK]Additional New ASN.1 Modules for the Cryptographic Message Syntax (CMS) and the Public Key Infrastructure Using X.509 (PKIX)The Cryptographic Message Syntax (CMS) format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates some auxiliary ASN.1 modules to conform to the 2008 version of ASN.1; the 1988 ASN.1 modules remain the normative version. There are no bits- on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.Certificate Management over CMS (CMC) UpdatesThis document contains a set of updates to the base syntax for CMC, a Certificate Management protocol using the Cryptographic Message Syntax (CMS). This document updates RFC 5272, RFC 5273, and RFC 5274.The new items in this document are: new controls for future work in doing server side key generation, definition of a Subject Information Access value to identify CMC servers, and the registration of a port number for TCP/IP for the CMC service to run on. [STANDARDS-TRACK]Enrollment over Secure TransportThis document profiles certificate enrollment for clients using Certificate Management over CMS (CMC) messages over a secure transport. This profile, called Enrollment over Secure Transport (EST), describes a simple, yet functional, certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire client certificates and associated Certification Authority (CA) certificates. It also supports client-generated public/private key pairs as well as key pairs generated by the CA.Cryptographic Message Syntax (CMS) Key Package Receipt and Error Content TypesThis document defines the syntax for two Cryptographic Message Syntax (CMS) content types: one for key package receipts and another for key package errors. The key package receipt content type is used to confirm receipt of an identified key package or collection of key packages. The key package error content type is used to indicate an error occurred during the processing of a key package. CMS can be used to digitally sign, digest, authenticate, or encrypt these content types.Algorithms for Cryptographic Message Syntax (CMS) Key Package Receipt and Error Content TypesThis document describes the conventions for using several cryptographic algorithms with the Cryptographic Message Syntax (CMS) key package receipt and error content types. Specifically, it includes conventions necessary to implement SignedData, EnvelopedData, EncryptedData, and AuthEnvelopedData.PKCS #12: Personal Information Exchange Syntax v1.1PKCS #12 v1.1 describes a transfer syntax for personal identity information, including private keys, certificates, miscellaneous secrets, and extensions. Machines, applications, browsers, Internet kiosks, and so on, that support this standard will allow a user to import, export, and exercise a single set of personal identity information. This standard supports direct transfer of personal information under several privacy and integrity modes.This document represents a republication of PKCS #12 v1.1 from RSA Laboratories' Public Key Cryptography Standard (PKCS) series. By publishing this RFC, change control is transferred to the IETF.NSA's Cryptographic Message Syntax (CMS) Key Management AttributesThis document defines key management attributes used by the National Security Agency (NSA). The attributes can appear in asymmetric and/or symmetric key packages as well as the Cryptographic Message Syntax (CMS) content types that subsequently envelope the key packages. Key packages described in RFCs 5958 and 6031 are examples of where these attributes can be used.EST (Enrollment over Secure Transport) ExtensionsThe EST (Enrollment over Secure Transport) protocol defines the Well-Known URI (Uniform Resource Identifier) -- /.well-known/est -- along with a number of other path components that clients use for PKI (Public Key Infrastructure) services, namely certificate enrollment (e.g., /simpleenroll). This document defines a number of other PKI services as additional path components -- specifically, firmware and trust anchors as well as symmetric, asymmetric, and encrypted keys. This document also specifies the PAL (Package Availability List), which is an XML (Extensible Markup Language) file or JSON (JavaScript Object Notation) object that clients use to retrieve packages available and authorized for them. This document extends the EST server path components to provide these additional services.Commercial National Security Algorithm (CNSA) Suite Certificate and Certificate Revocation List (CRL) ProfileThis document specifies a base profile for X.509 v3 Certificates and X.509 v2 Certificate Revocation Lists (CRLs) for use with the United States National Security Agency's Commercial National Security Algorithm (CNSA) Suite. The profile applies to the capabilities, configuration, and operation of all components of US National Security Systems that employ such X.509 certificates. US National Security Systems are described in NIST Special Publication 800-59. It is also appropriate for all other US Government systems that process high-value information. It is made publicly available for use by developers and operators of these and any other system deployments.Using Commercial National Security Algorithm Suite Algorithms in Secure/Multipurpose Internet Mail ExtensionsThe United States Government has published the National Security Agency (NSA) Commercial National Security Algorithm (CNSA) Suite, which defines cryptographic algorithm policy for national security applications. This document specifies the conventions for using the United States National Security Agency's CNSA Suite algorithms in Secure/Multipurpose Internet Mail Extensions (S/MIME) as specified in RFC 8551. It applies to the capabilities, configuration, and operation of all components of US National Security Systems that employ S/MIME messaging. US National Security Systems are described in NIST Special Publication 800-59. It is also appropriate for all other US Government systems that process high-value information. It is made publicly available for use by developers and operators of these and any other system deployments.Commercial National Security Algorithm (CNSA) Suite Profile of Certificate Management over CMSThis document specifies a profile of the Certificate Management over CMS (CMC) protocol for managing X.509 public key certificates in applications that use the Commercial National Security Algorithm (CNSA) Suite published by the United States Government. The profile applies to the capabilities, configuration, and operation of all components of US National Security Systems that manage X.509 public key certificates over CMS. It is also appropriate for all other US Government systems that process high-value information. The profile is made publicly available here for use by developers and operators of these and any other system deployments.Commercial National Security Algorithm (CNSA) Suite Profile for TLS and DTLS 1.2 and 1.3Guideline for Identifying an Information System as a National Security SystemNational Institute of Standards and TechnologyExtensible Markup Language (XML) 1.0 (Fifth Edition)Informative ReferencesKey words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.Authors' AddressesNational Security Agencymjjenki@cyber.nsa.govsn3rdsean@sn3rd.com