RFC 2797 (rfc2797) - Page 3 of 47


Certificate Management Messages over CMS



Alternative Format: Original Text Document



RFC 2797        Certificate Management Messages over CMS      April 2000


   No special services are provided for doing either renewal (new
   certificates with the same key) or re-keying (new certificates on new
   keys) of clients.  Instead a renewal/re-key message looks the same as
   any enrollment message, with the identity proof being supplied by
   existing certificates from the CA.

   A provision exists for Local Registration Authorities (LRAs) to
   participate in the protocol by taking client enrollment messages,
   wrapping them in a second layer of enrollment message with additional
   requirements or statements from the LRA and then passing this new
   expanded request on to the Certification Authority.

   This specification makes no assumptions about the underlying
   transport mechanism.  The use of CMS is not meant to imply an email-
   based transport.

   Optional services available through this specification are
   transaction management, replay detection (through nonces), deferred
   certificate issuance, certificate revocation requests and
   certificate/CRL retrieval.

2.1  Terminology

   There are several different terms, abbreviations and acronyms used in
   this document that we define here for convenience and consistency of
   usage:

   "End-Entity" (EE) refers to the entity that owns a key pair and for
      whom a certificate is issued.
   "LRA" or "RA" refers to a (Local) Registration Authority.  A
      registration authority acts as an intermediary between an End-
      Entity and a Certification Authority.  Multiple RAs can exist
      between the End-Entity and the Certification Authority.
   "CA" refers to a Certification Authority.  A Certification Authority
      is the entity that performs the actual issuance of a certificate.
   "Client" refers to an entity that creates a PKI request.  In this
      document both RAs and End-Entities can be clients.
   "Server" refers to the entities that process PKI requests and create
      PKI responses.  CAs and RAs can be servers in this document.
   "PKCS#10" refers the Public Key Cryptography Standard #10.  This is
      one of a set of standards defined by RSA Laboratories in the
      1980s.  PKCS#10 defines a Certificate Request Message syntax.
   "CRMF" refers to the Certificate Request Message Format RFC [CRMF].
      We are using certificate request message format defined in this
      document as part of our management protocol.
   "CMS" refers to the Cryptographic Message Syntax RFC [CMS].  This
      document provides for basic cryptographic services including
      encryption and signing with and without key management.



Myers, et al.               Standards Track