Skip to main content

2.6. Replace Section 5.1.3.4 - Multiple Protection

2.6. Replace Section 5.1.3.4 - Multiple Protection

Section 5.1.3.4 of [RFC4210] describes the nested message. This document also enables using nested messages for batch-delivery transport of PKI messages between PKI management entities and with mixed body types.

Replace the text of the section with the following text:

5.1.3.4. Multiple Protection

When receiving a protected PKI message, a PKI management entity, such as an RA, MAY forward that message along with adding its own protection (which is a MAC or a signature, depending on the information and certificates shared between the RA and the CA). Additionally, multiple PKI messages MAY be aggregated. There are several use cases for such messages.

  • The RA confirms having validated and authorized a message and forwards the original message unchanged.

  • The RA modifies the message(s) in some way (e.g., adds or modifies particular field values or adds new extensions) before forwarding them; then, it MAY create its own desired PKIBody. If the changes made by the RA to PKIMessage break the POP of a certificate request, the RA MUST set the popo field to RAVerified. It MAY include the original PKIMessage from the EE in the generalInfo field of PKIHeader of a nested message (to accommodate, for example, cases in which the CA wishes to check POP or other information on the original EE message). The infoType to be used in this situation is {id-it 15} (see Section 5.3.19 for the value of id-it), and the infoValue is PKIMessages (contents MUST be in the same order as the message in PKIBody).

  • A PKI management entity collects several messages that are to be forwarded in the same direction and forwards them in a batch. Request messages can be transferred as batch upstream (towards the CA); response or announce messages can be transferred as batch downstream (towards an RA but not to the EE). For instance, this can be used when bridging an off-line connection between two PKI management entities.

These use cases are accomplished by nesting the messages within a new PKI message. The structure used is as follows:

NestedMessageContent ::= PKIMessages
Last updated on