RFC 2797 (rfc2797) - Page 2 of 47
Certificate Management Messages over CMS
Alternative Format: Original Text Document
RFC 2797 Certificate Management Messages over CMS April 2000
1. Protocol Requirements
- The protocol is to be based as much as possible on the existing
CMS, PKCS#10 and CRMF specifications.
- The protocol must support the current industry practice of a
PKCS#10 request followed by a PKCS#7 response as a subset of the
protocol.
- The protocol needs to easily support the multi-key enrollment
protocols required by S/MIME and other groups.
- The protocol must supply a way of doing all operations in a
single-round trip. When this is not possible the number of round
trips is to be minimized.
- The protocol will be designed such that all key generation can
occur on the client.
- The mandatory algorithms must superset the required algorithms for
S/MIME.
- The protocol will contain POP methods. Optional provisions for
multiple-round trip POP will be made if necessary.
- The protocol will support deferred and pending responses to
certificate request for cases where external procedures are
required to issue a certificate.
- The protocol needs to support arbitrary chains of local
registration authorities as intermediaries between certificate
requesters and issuers.
2. Protocol Overview
An enrollment transaction in this specification is generally composed
of a single round trip of messages. In the simplest case an
enrollment request is sent from the client to the server and an
enrollment response is then returned from the server to the client.
In some more complicated cases, such as delayed certificate issuance
and polling for responses, more than one round trip is required.
This specification supports two different request messages and two
different response messages.
Public key certification requests can be based on either the PKCS10
or CRMF object. The two different request messages are (a) the bare
PKCS10 (in the event that no other services are needed), and (b) the
PKCS10 or CRMF message wrapped in a CMS encapsulation as part of a
PKIData object.
Public key certification responses are based on the CMS signedData
object. The response may be either (a) a degenerate CMS signedData
object (in the event no other services are needed), or (b) a
ResponseBody object wrapped in a CMS signedData object.
Myers, et al. Standards Track