Skip to main content

2.1. New Section 1.1 - Changes Since RFC 4210

2.1. New Section 1.1 - Changes Since RFC 4210

The following subsection describes feature updates to [RFC4210]. They are always related to the base specification. Hence, references to the original sections in [RFC4210] are used whenever possible.

Insert this section after the current Section 1 of [RFC4210]:

1.1. Changes Since RFC 4210

The following updates are made in this document:

  • Adding new extended key usages for various CMP server types, e.g., registration authority and certification authority, to express the authorization of the entity identified in the certificate containing the respective extended key usage extension that acts as the indicated PKI management entity.

  • Extending the description of multiple protection to cover additional use cases, e.g., batch processing of messages.

  • Offering EnvelopedData as the preferred choice next to EncryptedValue to better support crypto agility in CMP. Note that, according to [RFC4211], Section 2.1, point 9, the use of the EncryptedValue structure has been deprecated in favor of the EnvelopedData structure. [RFC4211] offers the EncryptedKey structure a choice of EncryptedValue and EnvelopedData for migration to EnvelopedData. For reasons of completeness and consistency, the type EncryptedValue has been exchanged in all occurrences in [RFC4210]. This includes the protection of centrally generated private keys, encryption of certificates, and protection of revocation passphrases. To properly differentiate the support of EnvelopedData instead of EncryptedValue, CMP version 3 is introduced in case a transaction is supposed to use EnvelopedData.

  • Offering an optional hashAlg field in CertStatus that supports confirmation of certificates signed with signature algorithms, e.g., preparing for upcoming post quantum algorithms, not directly indicating a specific hash algorithm to use to compute the certHash.

  • Adding new general message types to request CA certificates, a root CA update, a certificate request template, or a Certificate Revocation List (CRL) update.

  • Extending the usage of polling to p10cr, certConf, rr, genm, and error messages.

  • Deleting the mandatory algorithm profile in Appendix D.2 of [RFC4210] and referring to Section 7 of CMP Algorithms [RFC9481].

Last updated on