< draft-turner-sodp-profile-03.txt   draft-turner-sodp-profile-04.txt >
Network Working Group M. Jenkins Network Working Group M. Jenkins
Internet Draft NSA Internet Draft NSA
Intended Status: Informational Sean Turner Intended Status: Informational Sean Turner
Expires: February 8, 2020 sn3rd Expires: February 17, 2020 sn3rd
August 7, 2019 August 16, 2019
The SODP (Secure Object Delivery Protocol) Server Interfaces: The SODP (Secure Object Delivery Protocol) Server Interfaces:
NSA's Profile for Delivery of Certificates, NSA's Profile for Delivery of Certificates,
CRLs, and Symmetric Keys to Clients CRLs, and Symmetric Keys to Clients
draft-turner-sodp-profile-03.txt draft-turner-sodp-profile-04.txt
Abstract Abstract
This document specifies protocol interfaces profiled by the US NSA This document specifies protocol interfaces profiled by the US NSA
(United States National Security Agency) for NSS (National Security (United States National Security Agency) for NSS (National Security
System) servers that provide public key certificates, CRLs System) servers that provide public key certificates, CRLs
(Certificate Revocation Lists), and symmetric keys to NSS clients. (Certificate Revocation Lists), and symmetric keys to NSS clients.
Servers that support these interfaces are referred to as SODP (Secure Servers that support these interfaces are referred to as SODP (Secure
Object Delivery Protocol) servers. The intended audience for this Object Delivery Protocol) servers. The intended audience for this
profile comprises developers of client devices that will obtain key profile comprises developers of client devices that will obtain key
skipping to change at page 4, line 18 skipping to change at page 4, line 18
[RFC5280], [RFC5912], [RFC5913], [RFC5916], [RFC5917], [RFC6010], [RFC5280], [RFC5912], [RFC5913], [RFC5916], [RFC5917], [RFC6010],
and [RFC6402]; and [RFC6402];
o Key-format-related specifications [RFC5915], [RFC5958], o Key-format-related specifications [RFC5915], [RFC5958],
[RFC5959], [RFC6031], [RFC6032], [RFC6160], [RFC6161], [RFC6162], [RFC5959], [RFC6031], [RFC6032], [RFC6160], [RFC6161], [RFC6162],
[RFC7191], [RFC7192], [RFC7292], and [RFC7906]; [RFC7191], [RFC7192], [RFC7292], and [RFC7906];
o CMS-related (Cryptographic Message Syntax) RFCs [RFC5652], o CMS-related (Cryptographic Message Syntax) RFCs [RFC5652],
[RFC6268], and; [RFC6268], and;
o CNSA-related (Commercial National Security Algorithm) drafts o CNSA-related (Commercial National Security Algorithm) drafts
[RFC8603], [ID.cnsa-smime-profile], [ID.cnsa-cmc-profile], and [RFC8603], [ID.cnsa-smime-profile], [ID.cnsa-cmc-profile], and
[ID.cnsa-tls-profile]. The profile defined herein does not [ID.cnsa-tls-profile]. The profile defined herein does not
support RSA-based algorithms. support RSA-based or DHE-based algorithms.
The requirements from RFCs apply throughout this profile and are The requirements from RFCs apply throughout this profile and are
generally not repeated here. This document is purposely written generally not repeated here. This document is purposely written
without [RFC2119] language. without [RFC2119] language.
1.2. Document Organization 1.2. Document Organization
The document is organized as follows: The document is organized as follows:
o The remainder of this section describes the operational o The remainder of this section describes the operational
skipping to change at page 6, line 37 skipping to change at page 6, line 37
Clients that receive redirection responses (3xx status codes) will Clients that receive redirection responses (3xx status codes) will
terminate the connection ([RFC7030], Section 3.2.1). terminate the connection ([RFC7030], Section 3.2.1).
Clients include an HTTP Accept header with each HTTP GET request to Clients include an HTTP Accept header with each HTTP GET request to
indicate the PAL Package Type supported ([RFC8295], Section 2.1.1). indicate the PAL Package Type supported ([RFC8295], Section 2.1.1).
3.2. Transport Layer Security 3.2. Transport Layer Security
TLS implementations are configured as specified in TLS implementations are configured as specified in
[ID.cnsa-tls-profile]; the notable exception is that RSA-based [ID.cnsa-tls-profile]; the notable exceptions are that RSA-based and
algorithms are not used. DHE-based algorithms are not used.
3.3. Eligibility 3.3. Eligibility
At the EST interface, servers enroll only clients that they have an At the EST interface, servers enroll only clients that they have an
established relationship with. To accomplish this, client established relationship with. To accomplish this, client
owners/operators interact in person with the human acting as the RA owners/operators interact in person with the human acting as the RA
(Registration Authority) to ensure the information included in the (Registration Authority) to ensure the information included in the
transmitted certificate request, which is sometimes called a CSR transmitted certificate request, which is sometimes called a CSR
(Certificate Signing Request), is associated with a client. The (Certificate Signing Request), is associated with a client. The
mechanism by which the owner/operator interact with the RA as well as mechanism by which the owner/operator interact with the RA as well as
skipping to change at page 8, line 34 skipping to change at page 8, line 34
There are no additional requirements for requests beyond those There are no additional requirements for requests beyond those
specified in Sections 3.4 and 3.6.3 of this document. specified in Sections 3.4 and 3.6.3 of this document.
The HTTP content-type of "text/plain" ([RFC2046], Section 4.1) is The HTTP content-type of "text/plain" ([RFC2046], Section 4.1) is
used to return human readable errors. used to return human readable errors.
3.6.5. /fullcmc 3.6.5. /fullcmc
Requests are as specified in [ID.cnsa-cmc-profile] with the notable Requests are as specified in [ID.cnsa-cmc-profile] with the notable
exception that RSA-based algorithms are not supported. exception that RSA-based algorithms are not used.
Additional attributes for returned CMS packages can be found in Additional attributes for returned CMS packages can be found in
[RFC7906]. [RFC7906].
Certificates provided through this service are as specified in Certificates provided through this service are as specified in
Section 7 of this document. Section 7 of this document.
3.6.6. /serverkeygen 3.6.6. /serverkeygen
PKCS#12 [RFC7292], sometimes referred to as "PFX" (Personal PKCS#12 [RFC7292], sometimes referred to as "PFX" (Personal
skipping to change at page 10, line 13 skipping to change at page 10, line 13
/eecerts, /firmware, /tamp are not used at this time. /eecerts, /firmware, /tamp are not used at this time.
4. CMC Interface 4. CMC Interface
CMC [RFC5274][RFC6402] clients options are specified in this section. CMC [RFC5274][RFC6402] clients options are specified in this section.
4.1. RFC 5273 Transport Protocols 4.1. RFC 5273 Transport Protocols
Clients use only the HTTPS-based transport; the TLS implementation Clients use only the HTTPS-based transport; the TLS implementation
and configuration is as specified in [ID.cnsa-tls-profile]; the and configuration is as specified in [ID.cnsa-tls-profile]; the
notable exception is that RSA-based algorithms are not supported. notable exceptions are that RSA-based and DHE-based algorithms are
not used.
Clients that receive HTTP redirection responses (3xx status codes) Clients that receive HTTP redirection responses (3xx status codes)
will terminate the connection ([RFC7030], Section 3.2.1). will terminate the connection ([RFC7030], Section 3.2.1).
4.2. Eligibility 4.2. Eligibility
At the CMC interface, servers enroll only clients that they have an At the CMC interface, servers enroll only clients that they have an
established relationship with. To accomplish this, client established relationship with. To accomplish this, client
owners/operators interact in person with the human acting as the RA owners/operators interact in person with the human acting as the RA
(Registration Authority) to ensure the information included in the (Registration Authority) to ensure the information included in the
skipping to change at page 14, line 45 skipping to change at page 14, line 45
o A critical Subject Alternative Name extension that includes: o A critical Subject Alternative Name extension that includes:
dNSName, rfc822Name, ediPartyName, uniformResourceIdentifier, or dNSName, rfc822Name, ediPartyName, uniformResourceIdentifier, or
ipAddress (both IPv4 and IPv6). ipAddress (both IPv4 and IPv6).
8. Relying Party Applications 8. Relying Party Applications
This section documents requirements for RPs (Relying Parties) in This section documents requirements for RPs (Relying Parties) in
addition to those listed in [RFC8603], which in turn specifies addition to those listed in [RFC8603], which in turn specifies
requirements in addition to those in [RFC5280]. requirements in addition to those in [RFC5280].
RSA-based algorithms are not supported. RSA-based algorithms are not used.
RPs support the Authority Key Identifier and the Subject Key RPs support the Authority Key Identifier and the Subject Key
Identifier extensions. Identifier extensions.
RPs should support the following extensions: CRL Distribution Points, RPs should support the following extensions: CRL Distribution Points,
Authority Information Access, Subject Directory Attribute, Authority Authority Information Access, Subject Directory Attribute, Authority
Clearance Constraints, and CMS Content Constraints extensions. Clearance Constraints, and CMS Content Constraints extensions.
Within the Subject Directory Attribute extension, RPs should support Within the Subject Directory Attribute extension, RPs should support
the Clearance Sponsor, Clearance, and Device Owner attributes. the Clearance Sponsor, Clearance, and Device Owner attributes.
skipping to change at page 19, line 41 skipping to change at page 19, line 41
[SP 800-59] National Institute of Standards and Technology, [SP 800-59] National Institute of Standards and Technology,
"Guideline for Identifying an Information System as a "Guideline for Identifying an Information System as a
National Security System", SP 800-59, August 2003, National Security System", SP 800-59, August 2003,
<https://csrc.nist.gov/publications/detail/sp/800- <https://csrc.nist.gov/publications/detail/sp/800-
59/final>. 59/final>.
[ID.cnsa-smime-profile] Jenkins, M., "Using CNSA Suite Algorithms in [ID.cnsa-smime-profile] Jenkins, M., "Using CNSA Suite Algorithms in
Secure/Multipurpose Internet Mail Extensions(S/MIME)", Secure/Multipurpose Internet Mail Extensions(S/MIME)",
work-in-progress, <https://www.ietf.org/internet- work-in-progress, <https://www.ietf.org/internet-
drafts/draft-jenkins-smime-profile-00>. drafts/draft-jenkins-smime-profile-01>.
[ID.cnsa-cmc-profile] Jenkins, M. and L. Zieglar, "Commercial [ID.cnsa-cmc-profile] Jenkins, M. and L. Zieglar, "Commercial
National Security Algorithm (CNSA) Suite Profile of National Security Algorithm (CNSA) Suite Profile of
Certificate Management over CMS", work-in-progress, Certificate Management over CMS", work-in-progress,
<https://www.ietf.org/internet-drafts/draft-jenkins-cmc- <https://www.ietf.org/internet-drafts/draft-jenkins-cmc-
profile-01>. profile-05>.
[ID.cnsa-tls-profile] Authors, "Commercial National Security [ID.cnsa-tls-profile] Authors, "Commercial National Security
Algorithm (CNSA) Suite Profile of TLS", work-in-progress, Algorithm (CNSA) Suite Profile of TLS", work-in-progress,
<https://www.ietf.org/internet-drafts/draft-authors-tls- <https://www.ietf.org/internet-drafts/draft-cooley-cnsa-
profile-00>. dtls-tls-profile-00>.
12.2. Informative References 12.2. Informative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI Requirement Levels", BCP 14, RFC 2119, DOI
10.17487/RFC2119, March 1997, <https://www.rfc- 10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>. editor.org/info/rfc2119>.
None. None.
 End of changes. 10 change blocks. 
13 lines changed or deleted 14 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/