1. Introduction
This section preserves the RFC text for EST CSR Attributes, including CSR attribute OIDs and values, ASN.1 syntax, id-ExtensionReq, CertificationRequestInfoTemplate, Base64 examples, ASN.1 dump output, IANA registrations, and security considerations.
Original RFC Text
1. Introduction
This document updates RFC 7030 and clarifies how the Certificate
Signing Request (CSR) Attributes Response can be used by an EST
server to specify both CSR attribute OIDs and CSR attribute values.
In particular, the server needs to be able to specify X.509 extension
values that it expects the client to include in the subsequent CSR.
"Enrollment over Secure Transport" [RFC7030] has been used in a wide
variety of applications. In particular, [RFC8994] and [RFC8995]
describe a way to use it in order to build out an Autonomic Control
Plane (ACP) [RFC8368].
When bootstrapping the ACP, there is a requirement that each node be
given a very specific subjectAltName. In [RFC8994], the ACP
specification, the EST server is specified to make use of the CSR
Attributes ("/csrattrs") Request (specified in [RFC7030],
Section 2.6) to convey the actual subjectAltName to the EST client
that needs to go into its CSR and thus ultimately into its End Entity
(EE) certificate.
As a result of some implementation challenges, it came to light that
this particular way of using the CSR Attributes was not universally
agreed upon, and it was suggested that it went contrary to [RFC7030],
Section 2.6.
[RFC7030], Section 2.6 says that the CSR Attributes "can provide
additional descriptive information that the EST server cannot access
itself". This is extended to describe how the EST server can provide
values that it demands be used.
After significant discussion, it has been determined that Section 4.5
of [RFC7030] is sufficiently difficult to read and ambiguous to
interpret, so clarification is needed.
Also, [RFC7030], Section 4.5.2 is extended to clarify the use of the
existing ASN.1 syntax [X.680] [X.690].
This covers all uses and is fully backward compatible with existing
use, including addressing the needs of [RFC8994] and [RFC8995].