2.24. Add Section 8.6 - Trust Anchor Provisioning Using CMP Messages

The following subsection addresses the risk arising from in-band provisioning of new trust anchors in a PKI management operation.

Insert this section after the new Section 8.5:

8.6. Trust Anchor Provisioning Using CMP Messages

A provider of trust anchors, which may be an RA involved in configuration management of its clients, MUST NOT include to-be-trusted CA certificates in a CMP message unless the specific deployment scenario can ensure that it is adequate that the receiving EE trusts these certificates, e.g., by loading them into its trust store.

Whenever an EE receives in a CMP message a CA certificate to be used as a trust anchor (for example in the caPubs field of a certificate response or in a general response), it MUST properly authenticate the message sender with existing trust anchor information without requiring the new trust anchors included in the message.

Additionally, the EE MUST verify that the sender is an authorized source of trust anchors. This authorization is governed by local policy and typically indicated using shared secret information or with a signature-based message protection using a certificate issued by a PKI that is explicitly authorized for this purpose.

2.24. Add Section 8.6 - Trust Anchor Provisioning Using CMP Messages​

8.6. Trust Anchor Provisioning Using CMP Messages​

2.24. Add Section 8.6 - Trust Anchor Provisioning Using CMP Messages

8.6. Trust Anchor Provisioning Using CMP Messages