2.19. Replace Section 5.3.22 - Polling Request and Response
2.19. Replace Section 5.3.22 - Polling Request and Response
Section 5.3.22 of [RFC4210] describes when and how polling messages are used for ir, cr, and kur messages. This document extends the polling mechanism for outstanding responses to any kind of request message. This update also fixes the inconsistent use of the terms 'pReq' vs. 'pollReq' and 'pRep' vs. 'pollRep'.
Replace Section 5.3.22 of [RFC4210] with following text:
This pair of messages is intended to handle scenarios in which the client needs to poll the server to determine the status of an outstanding response (i.e., when the "waiting" PKIStatus has been received).
PollReqContent ::= SEQUENCE OF SEQUENCE {
certReqId INTEGER }
PollRepContent ::= SEQUENCE OF SEQUENCE {
certReqId INTEGER,
checkAfter INTEGER, -- time in seconds
reason PKIFreeText OPTIONAL }
In response to an ir, cr, p10cr, or kur request message, polling is initiated with an ip, cp, or kup response message containing status "waiting". For any type of request message, polling can be initiated with an error response messages with status "waiting". The following clauses describe how polling messages are used. It is assumed that multiple certConf messages can be sent during transactions. There will be one sent in response to each ip, cp, or kup that contains a CertStatus for an issued certificate.
-
In response to an ip, cp, or kup message, an EE will send a certConf for all issued certificates and expect a PKIconf for each certConf. An EE will send a pollReq message in response to each CertResponse element of an ip, cp, or kup message with status "waiting" and in response to an error message with status "waiting". Its certReqId MUST be either the index of a CertResponse data structure with status "waiting" or -1, referring to the complete response.
-
In response to a pollReq, a CA/RA will return an ip, cp, or kup if one or more of the still pending requested certificates are ready or the final response to some other type of request is available; otherwise, it will return a pollRep.
-
If the EE receives a pollRep, it will wait for at least the number of seconds given in the checkAfter field before sending another pollReq.
-
If the EE receives an ip, cp, or kup, then it will be treated in the same way as the initial response; if it receives any other response, then this will be treated as the final response to the original request.
The following client-side state machine describes polling for individual CertResponse elements.
START
|
v
Send ir
| ip
v
Check status
of returned <------------------------+
certs |
| |
+------------------------>|<------------------+ |
| | | |
| (issued) v (waiting) | |
Add to <----------- Check CertResponse ------> Add to |
conf list for each certificate pending list |
/ |
/ |
(conf list) / (empty conf list) |
/ ip |
/ +-----------------+
(empty pending list) / | pollRep
END <---- Send certConf Send pollReq---------->Wait
| ^ ^ |
| | | |
+-----------------+ +---------------+
(pending list)
In the following exchange, the end entity is enrolling for two certificates in one request.
Step End Entity PKI
--------------------------------------------------------------------
1 Format ir
2 -> ir ->
3 Handle ir
4 Manual intervention is
required for both certs
5 <- ip <-
6 Process ip
7 Format pollReq
8 -> pollReq ->
9 Check status of cert requests
10 Certificates not ready
11 Format pollRep
12 <- pollRep <-
13 Wait
14 Format pollReq
15 -> pollReq ->
16 Check status of cert requests
17 One certificate is ready
18 Format ip
19 <- ip <-
20 Handle ip
21 Format certConf
22 -> certConf ->
23 Handle certConf
24 Format ack
25 <- pkiConf <-
26 Format pollReq
27 -> pollReq ->
28 Check status of certificate
29 Certificate is ready
30 Format ip
31 <- ip <-
31 Handle ip
32 Format certConf
33 -> certConf ->
34 Handle certConf
35 Format ack
36 <- pkiConf <-
The following client-side state machine describes polling for a complete response message.
Start
|
| Send request
|
+----------- Receive response ------------+
| |
| ip/cp/kup/error with | other
| status "waiting" | response
| |
v |
+------> Polling |
| | |
| | Send pollReq |
| | Receive response |
| | |
| pollRep | other response |
+-----------+------------------->+<-------------------+
|
v
End