rfc8951v2.txt   rfc8951.txt 
skipping to change at line 252 skipping to change at line 252
| response MUST include an HTTP 200 response code. An HTTP response | response MUST include an HTTP 200 response code. An HTTP response
| code of 204 or 404 indicates that a CSR Attributes Response is not | code of 204 or 404 indicates that a CSR Attributes Response is not
| available. Regardless of the response code, the EST server and CA | available. Regardless of the response code, the EST server and CA
| MAY reject any subsequent enrollment requests for any reason, | MAY reject any subsequent enrollment requests for any reason,
| e.g., incomplete CSR attributes in the request. | e.g., incomplete CSR attributes in the request.
| |
| Responses to attribute request messages MUST be encoded as the | Responses to attribute request messages MUST be encoded as the
| content-type of "application/csrattrs" and are to be "base64" | content-type of "application/csrattrs" and are to be "base64"
| [RFC4648] encoded. The syntax for application/csrattrs body is as | [RFC4648] encoded. The syntax for application/csrattrs body is as
| follows: | follows:
| CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID
| |
| AttrOrOID ::= CHOICE { | CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID
| oid OBJECT IDENTIFIER,
| attribute Attribute {{AttrSet}} }
| |
| AttrSet ATTRIBUTE ::= { ... } | AttrOrOID ::= CHOICE {
| oid OBJECT IDENTIFIER,
| attribute Attribute {{AttrSet}} }
|
| AttrSet ATTRIBUTE ::= { ... }
| |
| An EST server includes zero or more OIDs or attributes [RFC2986] | An EST server includes zero or more OIDs or attributes [RFC2986]
| that it requests the client to use in the certification request. | that it requests the client to use in the certification request.
| The client MUST ignore any OID or attribute it does not recognize. | The client MUST ignore any OID or attribute it does not recognize.
| When the server encodes CSR attributes as an empty SEQUENCE, it | When the server encodes CSR attributes as an empty SEQUENCE, it
| means that the server has no specific additional information it | means that the server has no specific additional information it
| desires in a client certification request (this is functionally | desires in a client certification request (this is functionally
| equivalent to an HTTP response code of 204 or 404). | equivalent to an HTTP response code of 204 or 404).
| |
| If the CA requires a particular cryptographic algorithm or use of | If the CA requires a particular cryptographic algorithm or use of
skipping to change at line 303 skipping to change at line 304
| and then base64 encoded (Section 4 of [RFC4648]). The resulting | and then base64 encoded (Section 4 of [RFC4648]). The resulting
| text forms the application/csrattr body, without headers. | text forms the application/csrattr body, without headers.
| |
| For example, if a CA requests that a client a) submit a | For example, if a CA requests that a client a) submit a
| certification request containing the challengePassword (indicating | certification request containing the challengePassword (indicating
| that linking of identity and POP information is requested; see | that linking of identity and POP information is requested; see
| Section 3.5), b) submit an extensionRequest with the Media Access | Section 3.5), b) submit an extensionRequest with the Media Access
| Control (MAC) address [RFC2307] of the client, and c) use the | Control (MAC) address [RFC2307] of the client, and c) use the
| secp384r1 elliptic curve to sign using the SHA384 hash function, | secp384r1 elliptic curve to sign using the SHA384 hash function,
| then it takes the following: | then it takes the following:
| OID: challengePassword (1.2.840.113549.1.9.7)
| |
| Attribute: type = extensionRequest (1.2.840.113549.1.9.14) | OID: challengePassword (1.2.840.113549.1.9.7)
| value = macAddress (1.3.6.1.1.1.1.22)
| |
| Attribute: type = id-ecPublicKey (1.2.840.10045.2.1) | Attribute: type = extensionRequest (1.2.840.113549.1.9.14)
| value = secp384r1 (1.3.132.0.34) | value = macAddress (1.3.6.1.1.1.1.22)
| |
| OID: ecdsaWithSHA384 (1.2.840.10045.4.3.3) | Attribute: type = id-ecPublicKey (1.2.840.10045.2.1)
| value = secp384r1 (1.3.132.0.34)
|
| OID: ecdsaWithSHA384 (1.2.840.10045.4.3.3)
| |
| and encodes them into an ASN.1 SEQUENCE to produce: | and encodes them into an ASN.1 SEQUENCE to produce:
|
| 30 41 06 09 2a 86 48 86 f7 0d 01 09 07 30 12 06 07 2a 86 48 ce 3d | 30 41 06 09 2a 86 48 86 f7 0d 01 09 07 30 12 06 07 2a 86 48 ce 3d
| 02 01 31 07 06 05 2b 81 04 00 22 30 16 06 09 2a 86 48 86 f7 0d 01 | 02 01 31 07 06 05 2b 81 04 00 22 30 16 06 09 2a 86 48 86 f7 0d 01
| 09 0e 31 09 06 07 2b 06 01 01 01 01 16 06 08 2a 86 48 ce 3d 04 03 | 09 0e 31 09 06 07 2b 06 01 01 01 01 16 06 08 2a 86 48 ce 3d 04 03
| 03 | 03
| |
| and then base64 encodes the resulting ASN.1 SEQUENCE to produce: | and then base64 encodes the resulting ASN.1 SEQUENCE to produce:
| MEEGCSqGSIb3DQEJBzASBgcqhkjOPQIBMQcGBSuBBAAiMBYGCSqGSIb3DQEJDjEJ |
| BgcrBgEBAQEWBggqhkjOPQQDAw== | MEEGCSqGSIb3DQEJBzASBgcqhkjOPQIBMQcGBSuBBAAiMBYGCSqGSIb3DQEJDjEJ
| BgcrBgEBAQEWBggqhkjOPQQDAw==
5. Clarification of Error Messages for Certificate Enrollment 5. Clarification of Error Messages for Certificate Enrollment
Operations Operations
[errata5108] clarifies what format the error messages are to be in. [errata5108] clarifies what format the error messages are to be in.
Previously, a client might be confused into believing that an error Previously, a client might be confused into believing that an error
returned with type text/plain was not intended to be an error. returned with type text/plain was not intended to be an error.
5.1. Updating Section 4.2.3: Simple Enroll and Re-enroll Response 5.1. Updating Section 4.2.3: Simple Enroll and Re-enroll Response
skipping to change at line 495 skipping to change at line 499
2015, <https://www.itu.int/rec/T-REC-X.683>. 2015, <https://www.itu.int/rec/T-REC-X.683>.
[X.690] ITU-T, "Information Technology - ASN.1 encoding rules: [X.690] ITU-T, "Information Technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules Encoding Rules (CER) and Distinguished Encoding Rules
(DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2015, (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2015,
August 2015, <https://www.itu.int/rec/T-REC-X.690>. August 2015, <https://www.itu.int/rec/T-REC-X.690>.
9.2. Informative References 9.2. Informative References
[BRSKI] Pritikin, M., Richardson, M., Eckert, T., Behringer, M., [BRSKI] Pritikin, M., Richardson, M. C., Eckert, T., Behringer, M.
and K. Watsen, "Bootstrapping Remote Secure Key H., and K. Watsen, "Bootstrapping Remote Secure Key
Infrastructures (BRSKI)", Work in Progress, Internet- Infrastructures (BRSKI)", Work in Progress, Internet-
Draft, draft-ietf-anima-bootstrapping-keyinfra-45, 11 Draft, draft-ietf-anima-bootstrapping-keyinfra-45, 11
November 2020, <https://tools.ietf.org/html/draft-ietf- November 2020, <https://tools.ietf.org/html/draft-ietf-
anima-bootstrapping-keyinfra-45>. anima-bootstrapping-keyinfra-45>.
[RFC2307] Howard, L., "An Approach for Using LDAP as a Network [RFC2307] Howard, L., "An Approach for Using LDAP as a Network
Information Service", RFC 2307, DOI 10.17487/RFC2307, Information Service", RFC 2307, DOI 10.17487/RFC2307,
March 1998, <https://www.rfc-editor.org/info/rfc2307>. March 1998, <https://www.rfc-editor.org/info/rfc2307>.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
 End of changes. 10 change blocks. 
15 lines changed or deleted 19 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/