<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>

<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="pre5378Trust200902" docName="draft-ietf-lamps-rfc5272bis-11" number="10002" category="std" consensus="true" submissionType="IETF" updates="" obsoletes="5272, 6402" tocInclude="true" sortRefs="true" symRefs="true" version="3" xml:lang="en">

  <front>
    <title abbrev="CMC: Structures">Certificate Management over CMS (CMC)</title>
    <seriesInfo name="RFC" value="10002"/>
    <author initials="J." surname="Mandel" fullname="Joseph Mandel" role="editor">
      <organization>AKAYLA, Inc.</organization>
      <address>
        <email>joe@akayla.com</email>
      </address>
    </author>
    <author initials="S." surname="Turner" fullname="Sean Turner" role="editor">
      <organization>sn3rd</organization>
      <address>
        <email>sean@sn3rd.com</email>
      </address>
    </author>
    <date year="2026" month="July"/>

    <area>SEC</area>
    <workgroup>lamps</workgroup>

    <keyword>Public Key Infrastructure</keyword>
    <keyword>Certificate Management</keyword>
    <keyword>Cryptographic Message Syntax</keyword>

    <abstract>
<t>This document defines the base syntax for CMC, a Certificate
Management protocol using the Cryptographic Message Syntax (CMS).
This protocol addresses two immediate needs within the Internet
Public Key Infrastructure (PKI) community:</t>
      <ol spacing="normal" type="1">
	<li>
          <t>The need for an interface to public key certification products
and services based on CMS and PKCS #10 (Public Key Cryptography
Standard), and</t>
        </li>
        <li>
          <t>The need for a PKI enrollment protocol for encryption-only keys
due to algorithm or hardware design.</t>
        </li>
      </ol>


      <t>CMC also requires the use of the transport document (RFC 10003) and the
requirements usage document (RFC 10004) along with this document for a full
definition.</t>
      <t>This document obsoletes RFCs 5272 and 6402.</t>
    </abstract>

  </front>
  <middle>

    <section anchor="introduction">
      <name>Introduction</name>
      <t>This document defines the base syntax for CMC, a Certificate
Management protocol using the Cryptographic Message Syntax (CMS).
This protocol addresses two immediate needs within the Internet PKI
community:</t>
      <ol spacing="normal" type="1"><li>
          <t>The need for an interface to public key certification products
and services based on CMS and PKCS #10, and</t>
        </li>
        <li>
          <t>The need for a PKI enrollment protocol for encryption-only keys
due to algorithm or hardware design.</t>
        </li>
      </ol>
      <t>A small number of additional services are defined to supplement the
      core certification request service.</t>

            <t>CMC also requires the use of the transport document <xref target="RFC10003"/> and the
requirements usage document <xref target="RFC10004"/> along with this document for a full
definition.</t>
      <t>This document obsoletes RFCs 5272 <xref target="RFC5272"/> and 6402 <xref target="RFC6402"/>.</t>
      <section anchor="protocol-requirements">
        <name>Protocol Requirements</name>


        <t>As much as possible, the protocol must be based on the existing CMS <xref target="RFC5652"/> <xref target="RFC5083"/>,
PKCS #10 <xref target="RFC2986"/>, and CRMF (Certificate Request Message Format)
<xref target="RFC4211"/> specifications.</t>
        <t>The protocol must support the current industry practice of a PKCS #10
certification request followed by a PKCS #7 "certs-only" response as a
subset of the protocol.</t>
        <t>The protocol must easily support the multi-key enrollment protocols
required by S/MIME and other groups.</t>
        <t>The protocol must supply a way of doing all enrollment operations in
a single round trip.  When this is not possible, the number of
round trips is to be minimized.</t>
        <t>The protocol must be designed such that all key generation can occur
	on the client.</t>

        <t>Support must exist for the mandatory algorithms used by S/MIME.
Support should exist for all other algorithms cited by the S/MIME
core documents.</t>
        <t>The protocol must contain Proof-of-Possession (POP) methods.
Optional provisions for multiple-round-trip POP will be made if
necessary.</t>
        <t>The protocol must support deferred and pending responses to
enrollment requests for cases where external procedures are required
to issue a certificate.</t>
      </section>
      <section anchor="requirements-terminology">
        <name>Requirements Terminology</name>
        <t>
    The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
    NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
    "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
    described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
    when, and only when, they appear in all capitals, as shown here.
        </t>
      </section>

      <section anchor="changes-from-rfc-2797">
        <name>Changes Since RFC 2797</name>

        <t><xref target="RFC5272"/> was a major overhaul on the layout of <xref target="RFC2797"/>. This
included two different steps.  Primarily, the removal of some sections from
	the document to be moved to two other documents:</t>
	<ul>
	  <li>Information on
	  how to transport messages is now found in <xref target="RFC10003"/>.</li>
	  <li>Information on which controls and sections of this document must be
implemented along with which algorithms are required can now be found
in <xref target="RFC10004"/>.</li></ul>
        <t>A number of new controls were added in <xref target="RFC5272"/>:</t>
        <ul spacing="normal">
          <li>"<xref target="extCMCStatusInfo" format="title"/>" (<xref target="extCMCStatusInfo"/>)</li>
          <li>"<xref target="PublishTrustAnchorsControl" format="title"/> (<xref target="PublishTrustAnchorsControl"/>)</li>
          <li>"<xref target="AuthenticatedDataControl" format="title"/> (<xref target="AuthenticatedDataControl"/>)</li>
          <li>"<xref target="BatchRequestandResponseControls" format="title"/> (<xref target="BatchRequestandResponseControls"/>)</li>
          <li>"<xref target="PublicationInformationControl" format="title"/> (<xref target="PublicationInformationControl"/>)</li>
          <li>"<xref target="ModifyCertificationRequestControl" format="title"/> (<xref target="ModifyCertificationRequestControl"/>)</li>
          <li>"<xref target="ControlProcessedControl" format="title"/> (<xref target="ControlProcessedControl"/>)</li>
          <li>"<xref target="IdentityProofControl" format="title"/> (<xref target="IdentityProofControl"/>)</li>
          <li>"<xref target="POPLinkWitnessVersion2Controls" format="title"/> (<xref target="POPLinkWitnessVersion2Controls"/>)</li>
        </ul>
      </section>
      <section anchor="updates-made-by-rfc-6402">
        <name>Updates Made by RFC 6402</name>
        <t><xref target="RFC6402"/> includes changes to <xref target="RFC5272"/>
that are noted in this section.</t>
        <t>Two added controls:</t>
        <ul spacing="normal">
          <li>Registration Authority (RA) Identity Witness allows for an RA to perform identity
          checking using the identity and shared-secret, and tell any
          following servers that the identity check was successfully
          performed.</li>
          <li>Response Body allows for an RA to identify a nested response for
          an End-Entity (EE) to process.</li>
        </ul>
        <t><xref target="RFC6402"/> also:</t>
	<ul>
	  <li>Creates the Change Subject Name attribute, which allows a client
to request a change in the <tt>subject</tt> field and Subject Alternative Name
extension in a certificate.</li>
        <li>Adds Extended Key Usages (EKUs) for CMC to distinguish server types.</li>
        <li>Defines a new Subject Information Access extension to hold locations to
contact the CMC server.</li>
        <li>Clarifies that the use of a preexisting certificate is not limited
to just renewal and rekey messages and is required for support.
This formalizes a requirement for the ability to do renewal and
rekey that previously was implicit.</li></ul>
      </section>
      <section anchor="changes-since-rfc-6402">
        <name>Changes Since RFC 6402</name>
        <t>This document introduces changes to
	<xref target="RFC5272"/> that are noted in this section.</t>
	<ul>
        <li>Merged <xref target="RFC6402"/> text.</li>
        <li>Included updates inspired by the following errata reports: <xref target="Err8385"/>, <xref target="Err8137"/>,
<xref target="Err8027"/>, <xref target="Err7629"/>, <xref target="Err7628"/>, <xref target="Err7627"/>,
<xref target="Err7379"/>, <xref target="Err6571"/>, <xref target="Err5931"/>, <xref target="Err4775"/>,
<xref target="Err2731"/>, <xref target="Err2063"/>, and <xref target="Err3943"/> (for <xref target="RFC6402"/>).</li>

        <li>To support adopting SHA-256 and HMAC-SHA256, <tt>maca-hMAC-SHA256</tt> was added to
<tt>POPAlgs</tt> and <tt>mda-sha256</tt> was added to <tt>WitnessAlgs</tt>. Both were included in
the example in <xref target="enroll"/>.</li>
        <li>Updated the "Encrypted and Decrypted POP Controls" section (<xref target="EncryptedandDecryptedPOPControls"/>) to use HMAC-SHA256.</li>
        <li>Updated the ASN.1 module to import from the 2008 ASN.1 module from
<xref target="RFC5912"/>.</li>
        <li>Modified the ASN.1 module in <xref target="asn.1-cmc"/> to import Password-Based Key Derivation Function 2 (PBKDF2) Pseudorandom Functions (PRFs) from
<xref target="asn.1-pbkdf2"/>.</li>
        <li>Added a direct POP example to address management of Key Encapsulation Mechanism (KEM) certificates.</li>
        <li>Added <tt>id-ce-subjectKeyIdentifier</tt> to examples.</li>

        <li>Clarified that the <tt>subjectKeyIdentifier</tt> choice must be used with <tt>id-alg-noSignature</tt>.</li>
        <li>Updated the CMC Control Attribute Table (see <xref target="ctrl-attrs"/>) to include <tt>raIdentityWitness</tt> and
<tt>responseBody</tt> from <xref target="RFC6402"/>.</li>
        <li>Added support for <tt>AuthEnvelopedData</tt>.</li></ul>
      </section>
    </section>
    <section anchor="protocol-overview">
      <name>Protocol Overview</name>
      <t>A PKI enrollment transaction in this specification is generally
composed of a single round trip of messages. In the simplest case, a
PKI enrollment request, henceforth referred to as a PKI Request, is
sent from the client to the server; a PKI enrollment response,
henceforth referred to as a PKI Response, is then returned from the
server to the client. In more complicated cases, such as delayed
certificate issuance, more than one round trip is required.</t>
      <t>This specification defines two PKI Request types and two PKI Response
types.</t>
      <t>PKI Requests are formed using either the PKCS #10 or CRMF
      structure.  The two PKI Requests are:</t>

      <dl spacing="normal">
        <dt>Simple PKI Request:</dt><dd>the bare PKCS #10 (in the event that no other services are
        needed).</dd>
        <dt>Full PKI Request:</dt><dd>one or more PKCS #10, CRMF, or Other Request Message structures
        wrapped in a CMS encapsulation as part of a <tt>PKIData</tt>.</dd>
      </dl>

      <t>PKI Responses are based on <tt>SignedData</tt> or <tt>AuthenticatedData</tt> <xref
      target="RFC5652"/>.  The two PKI Responses are:</t>

      <dl spacing="normal">
        <dt>Simple PKI Response:</dt><dd>a "certs-only" <tt>SignedData</tt> (in the event no other services are
        needed).</dd>
        <dt>Full PKI Response:</dt><dd>a <tt>PKIResponse</tt> content type wrapped in a <tt>SignedData</tt>.</dd>
      </dl>

      <t>No special services are provided for either renewal (i.e., a new
certificate with the same key) or rekey (i.e., a new certificate with
a new key) of client certificates. Instead, renewal and rekey
requests look the same as any certification request, except that the
Proof-of-Identity is supplied by existing certificates from a trusted
      Certification Authority (CA).</t>
      <aside>
	<t>Note: This is usually the same CA, but it could be a different CA in the
same organization where naming is shared.</t></aside>
      <t>No special services are provided to distinguish between a rekey
request and a new certification request (generally for a new
purpose). CAs or other publishing agents are also expected to have
policies for removing certificates from publication based either on
new certificates being added or the expiration or revocation of a
certificate. A control to unpublish a certificate would normally be
included in a rekey request if the CA did not wish to have a grace
period between the certificates, be omitted if the CA wishes to have a
grace period between certificates, and be omitted from a new
certification request.</t>
      <t>A provision exists for RAs to participate in the protocol by taking
PKI Requests, wrapping them in a second layer of PKI Request with
additional requirements or statements from the RA, and then passing
this new expanded PKI Request on to the CA.</t>
      <t>This specification makes no assumptions about the underlying
transport mechanism. The use of CMS does not imply an email-based
transport. Several different possible transport methods are defined
in <xref target="RFC10003"/>.</t>
      <t>Optional services available through this specification are
transaction management, replay detection (through nonces), deferred
certificate issuance, certificate revocation requests and
certificate / Certificate Revocation List (CRL) retrieval.</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>There are several different terms, abbreviations, and acronyms used
in this document. These are defined here, in no particular order,
for convenience and consistency of usage:</t>

<dl spacing="normal">

    <dt>End-Entity (EE):</dt><dd>Refers to the entity that owns a key pair and for whom
    a certificate is issued.</dd>

    <dt>Registration Authority (RA) or Local RA (LRA):</dt><dd>Refers to an entity
   that acts as an intermediary between the EE and the CA. Multiple
   RAs can exist between the EE and the CA. RAs may perform additional services such as key
   generation or key archival. This document uses the term RA for
   both RA and LRA.</dd>

    <dt>Certification Authority (CA):</dt><dd>Refers to the entity that issues
   certificates.</dd>

    <dt>Client:</dt><dd>Refers to an entity that creates a PKI Request. In this
   document, both RAs and EEs can be clients.</dd>

    <dt>Server:</dt><dd>Refers to the entities that process PKI Requests and create
    PKI Responses. In this document, both CAs and RAs can be servers.</dd>

    <dt>PKCS #10:</dt><dd>Refers to the Public Key Cryptography Standard #10
   <xref target="RFC2986"/>, which defines a certification request syntax.</dd>
    <dt>CRMF:</dt><dd>Refers to the Certificate Request Message Format <xref target="RFC4211"/>.
   CMC uses the certification request syntax defined in this
   document as part of the protocol.</dd>

    <dt>CMS:</dt><dd>Refers to the Cryptographic Message Syntax <xref target="RFC5652"/>. This
   document provides for basic cryptographic services including
   encryption and signing with and without key management.</dd>

     <dt>PKI Request/Response:</dt><dd>Refers to the requests/responses described in
   this document. PKI Requests include certification requests,
   revocation requests, etc. PKI Responses include "certs-only"
   messages, failure messages, etc.</dd>
    <dt>Proof-of-Identity:</dt><dd>Refers to the client proving they are who they say
   that they are to the server.</dd>

    <dt>Enrollment or certification request:</dt><dd>Refers to the process of a
   client requesting a certificate. A certification request is a
   subset of the PKI Requests.</dd>

    <dt>Proof-of-Possession (POP):</dt><dd><t>Refers to a value that can be used to
   prove that the private key corresponding to a public key is in the
   possession and can be used by an EE. The different types
   of POP are:</t>
        <ul spacing="normal">
          <li>
            <t>Signature provides the required POP by a signature operation
            over some data.</t>
          </li>
          <li>
            <t>Direct provides the required POP operation by an encrypted
            challenge-response mechanism.</t>
          </li>
          <li>
            <t>Indirect provides the required POP operation by returning the
            issued certificate in an encrypted state.  (This method is not
            used by CMC.)</t>
          </li>
          <li>
            <t>Publish provides the required POP operation by providing the
            private key to the certificate issuer. (This method is not
            currently used by CMC. It would be used by Key Generation or Key
            Escrow extensions.)</t>
          </li>
          <li>
            <t>Attested provides the required POP operation by allowing a
            trusted entity to assert that the POP has been proven by one of
            the above methods.</t>
          </li>
	</ul></dd>

    <dt>Object IDentifier (OID):</dt><dd>A primitive type in Abstract Syntax
   Notation One <xref target="ASN.1"/>.</dd>

    <dt>HMAC:</dt><dd>Refers to the Hashed Message Authentication Code. CMC uses the ASN.1 module defined in <xref target="RFC6268" />.</dd>
</dl>

      </section>
      <section anchor="ProtocolRequestsResponses">
        <name>Protocol Requests/Responses</name>
        <t><xref target="fig-simple"/> shows the Simple PKI Requests and Responses. The contents
of the Simple PKI Request and Response are detailed in Sections <xref target="SimplePKIRequest" format="counter"/> and
	<xref target="SimplePKIResponse" format="counter"/>.</t>



        <figure anchor="fig-simple">
          <name>Simple PKI Requests and Responses</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="384" width="552" viewBox="0 0 552 384" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 16,80 L 16,240" fill="none" stroke="black"/>
                <path d="M 104,80 L 104,112" fill="none" stroke="black"/>
                <path d="M 112,240 L 112,304" fill="none" stroke="black"/>
                <path d="M 224,112 L 224,304" fill="none" stroke="black"/>
                <path d="M 336,80 L 336,320" fill="none" stroke="black"/>
                <path d="M 456,320 L 456,352" fill="none" stroke="black"/>
                <path d="M 488,80 L 488,112" fill="none" stroke="black"/>
                <path d="M 544,112 L 544,352" fill="none" stroke="black"/>
                <path d="M 8,48 L 200,48" fill="none" stroke="black"/>
                <path d="M 328,48 L 528,48" fill="none" stroke="black"/>
                <path d="M 16,80 L 104,80" fill="none" stroke="black"/>
                <path d="M 336,80 L 488,80" fill="none" stroke="black"/>
                <path d="M 16,112 L 224,112" fill="none" stroke="black"/>
                <path d="M 336,112 L 544,112" fill="none" stroke="black"/>
                <path d="M 16,240 L 224,240" fill="none" stroke="black"/>
                <path d="M 112,304 L 224,304" fill="none" stroke="black"/>
                <path d="M 336,320 L 544,320" fill="none" stroke="black"/>
                <path d="M 456,352 L 544,352" fill="none" stroke="black"/>
                <g class="text">
                  <text x="28" y="36">Simple</text>
                  <text x="72" y="36">PKI</text>
                  <text x="120" y="36">Request</text>
                  <text x="348" y="36">Simple</text>
                  <text x="392" y="36">PKI</text>
                  <text x="444" y="36">Response</text>
                  <text x="44" y="100">PKCS</text>
                  <text x="80" y="100">#10</text>
                  <text x="360" y="100">CMS</text>
                  <text x="424" y="100">ContentInfo</text>
                  <text x="80" y="132">Certification</text>
                  <text x="168" y="132">Request</text>
                  <text x="360" y="132">CMS</text>
                  <text x="404" y="132">Signed</text>
                  <text x="456" y="132">Data,</text>
                  <text x="372" y="148">no</text>
                  <text x="428" y="148">SignerInfo</text>
                  <text x="56" y="164">Subject</text>
                  <text x="108" y="164">Name</text>
                  <text x="56" y="180">Subject</text>
                  <text x="116" y="180">Public</text>
                  <text x="160" y="180">Key</text>
                  <text x="196" y="180">Info</text>
                  <text x="388" y="180">SignedData</text>
                  <text x="468" y="180">contains</text>
                  <text x="520" y="180">one</text>
                  <text x="72" y="196">(K_PUB)</text>
                  <text x="356" y="196">or</text>
                  <text x="388" y="196">more</text>
                  <text x="460" y="196">certificates</text>
                  <text x="524" y="196">in</text>
                  <text x="68" y="212">Attributes</text>
                  <text x="360" y="212">the</text>
                  <text x="428" y="212">certificates</text>
                  <text x="504" y="212">field</text>
                  <text x="380" y="228">Relevant</text>
                  <text x="428" y="228">CA</text>
                  <text x="464" y="228">certs</text>
                  <text x="504" y="228">and</text>
                  <text x="364" y="244">CRLs</text>
                  <text x="400" y="244">can</text>
                  <text x="428" y="244">be</text>
                  <text x="476" y="244">included</text>
                  <text x="148" y="260">signed</text>
                  <text x="196" y="260">with</text>
                  <text x="356" y="260">as</text>
                  <text x="392" y="260">well.</text>
                  <text x="156" y="276">matching</text>
                  <text x="148" y="292">K_PRIV</text>
                  <text x="440" y="292">encapsulatedContentInfo</text>
                  <text x="356" y="308">is</text>
                  <text x="400" y="308">absent.</text>
                  <text x="500" y="340">unsigned</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
Simple PKI Request                      Simple PKI Response
-------------------------               --------------------------

 +----------+                            +------------------+
 | PKCS #10 |                            | CMS ContentInfo  |
 +----------+--------------+             +------------------+------+
 | Certification Request   |             | CMS Signed Data,        |
 |                         |             |   no SignerInfo         |
 | Subject Name            |             |                         |
 | Subject Public Key Info |             | SignedData contains one |
 |   (K_PUB)               |             | or more certificates in |
 | Attributes              |             | the certificates field  |
 |                         |             | Relevant CA certs and   |
 +-----------+-------------+             | CRLs can be included    |
             | signed with |             | as well.                |
             | matching    |             |                         |
             | K_PRIV      |             | encapsulatedContentInfo |
             +-------------+             | is absent.              |
                                         +--------------+----------+
                                                        | unsigned |
                                                        +----------+]]></artwork>
          </artset>
        </figure>
        <t><xref target="fig-full"/> shows the Full PKI Requests and Responses. The contents of
the Full PKI Request and Response are detailed in Sections <xref target="FullPKIRequest" format="counter"/> and
<xref target="FullPKIResponse" format="counter"/>.</t>
        <figure anchor="fig-full">
          <name>Full PKI Requests and Responses</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="544" width="552" viewBox="0 0 552 544" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 16,64 L 16,400" fill="none" stroke="black"/>
                <path d="M 80,400 L 80,496" fill="none" stroke="black"/>
                <path d="M 152,64 L 152,144" fill="none" stroke="black"/>
                <path d="M 224,144 L 224,496" fill="none" stroke="black"/>
                <path d="M 336,64 L 336,464" fill="none" stroke="black"/>
                <path d="M 416,464 L 416,512" fill="none" stroke="black"/>
                <path d="M 472,64 L 472,144" fill="none" stroke="black"/>
                <path d="M 544,144 L 544,512" fill="none" stroke="black"/>
                <path d="M 8,48 L 184,48" fill="none" stroke="black"/>
                <path d="M 328,48 L 512,48" fill="none" stroke="black"/>
                <path d="M 16,64 L 152,64" fill="none" stroke="black"/>
                <path d="M 336,64 L 472,64" fill="none" stroke="black"/>
                <path d="M 16,144 L 224,144" fill="none" stroke="black"/>
                <path d="M 336,144 L 544,144" fill="none" stroke="black"/>
                <path d="M 16,400 L 224,400" fill="none" stroke="black"/>
                <path d="M 336,464 L 544,464" fill="none" stroke="black"/>
                <path d="M 80,496 L 224,496" fill="none" stroke="black"/>
                <path d="M 416,512 L 544,512" fill="none" stroke="black"/>
                <g class="text">
                  <text x="20" y="36">Full</text>
                  <text x="56" y="36">PKI</text>
                  <text x="104" y="36">Request</text>
                  <text x="340" y="36">Full</text>
                  <text x="376" y="36">PKI</text>
                  <text x="428" y="36">Response</text>
                  <text x="40" y="84">CMS</text>
                  <text x="104" y="84">ContentInfo</text>
                  <text x="360" y="84">CMS</text>
                  <text x="424" y="84">ContentInfo</text>
                  <text x="40" y="100">CMS</text>
                  <text x="100" y="100">SignedData</text>
                  <text x="360" y="100">CMS</text>
                  <text x="420" y="100">SignedData</text>
                  <text x="52" y="116">or</text>
                  <text x="84" y="116">Auth</text>
                  <text x="124" y="116">Data</text>
                  <text x="372" y="116">or</text>
                  <text x="404" y="116">Auth</text>
                  <text x="444" y="116">Data</text>
                  <text x="84" y="132">object</text>
                  <text x="404" y="132">object</text>
                  <text x="56" y="180">PKIData</text>
                  <text x="392" y="180">PKIResponse</text>
                  <text x="60" y="212">Sequence</text>
                  <text x="112" y="212">of:</text>
                  <text x="380" y="212">Sequence</text>
                  <text x="432" y="212">of:</text>
                  <text x="72" y="228">&lt;enrollment</text>
                  <text x="160" y="228">control&gt;*</text>
                  <text x="392" y="228">&lt;enrollment</text>
                  <text x="480" y="228">control&gt;*</text>
                  <text x="84" y="244">&lt;certification</text>
                  <text x="184" y="244">request&gt;*</text>
                  <text x="364" y="244">&lt;CMS</text>
                  <text x="420" y="244">object&gt;*</text>
                  <text x="44" y="260">&lt;CMS</text>
                  <text x="100" y="260">object&gt;*</text>
                  <text x="372" y="260">&lt;other</text>
                  <text x="440" y="260">message&gt;*</text>
                  <text x="52" y="276">&lt;other</text>
                  <text x="120" y="276">message&gt;*</text>
                  <text x="368" y="292">where</text>
                  <text x="400" y="292">*</text>
                  <text x="420" y="292">==</text>
                  <text x="452" y="292">zero</text>
                  <text x="484" y="292">or</text>
                  <text x="516" y="292">more</text>
                  <text x="48" y="308">where</text>
                  <text x="80" y="308">*</text>
                  <text x="100" y="308">==</text>
                  <text x="132" y="308">zero</text>
                  <text x="164" y="308">or</text>
                  <text x="196" y="308">more</text>
                  <text x="360" y="324">All</text>
                  <text x="428" y="324">certificates</text>
                  <text x="508" y="324">issued</text>
                  <text x="80" y="340">Certification</text>
                  <text x="172" y="340">requests</text>
                  <text x="356" y="340">as</text>
                  <text x="388" y="340">part</text>
                  <text x="420" y="340">of</text>
                  <text x="448" y="340">the</text>
                  <text x="500" y="340">response</text>
                  <text x="40" y="356">are</text>
                  <text x="80" y="356">CRMF,</text>
                  <text x="124" y="356">PKCS</text>
                  <text x="164" y="356">#10,</text>
                  <text x="196" y="356">or</text>
                  <text x="360" y="356">are</text>
                  <text x="412" y="356">included</text>
                  <text x="460" y="356">in</text>
                  <text x="488" y="356">the</text>
                  <text x="52" y="372">Other.</text>
                  <text x="404" y="372">"certificates"</text>
                  <text x="488" y="372">field</text>
                  <text x="356" y="388">of</text>
                  <text x="384" y="388">the</text>
                  <text x="448" y="388">SignedData.</text>
                  <text x="380" y="404">Relevant</text>
                  <text x="428" y="404">CA</text>
                  <text x="464" y="404">certs</text>
                  <text x="504" y="404">and</text>
                  <text x="116" y="420">signed</text>
                  <text x="180" y="420">(keypair</text>
                  <text x="364" y="420">CRLs</text>
                  <text x="400" y="420">can</text>
                  <text x="428" y="420">be</text>
                  <text x="476" y="420">included</text>
                  <text x="524" y="420">as</text>
                  <text x="108" y="436">used</text>
                  <text x="144" y="436">may</text>
                  <text x="172" y="436">be</text>
                  <text x="204" y="436">pre-</text>
                  <text x="368" y="436">well.</text>
                  <text x="124" y="452">existing</text>
                  <text x="172" y="452">or</text>
                  <text x="132" y="468">identified</text>
                  <text x="188" y="468">in</text>
                  <text x="104" y="484">the</text>
                  <text x="156" y="484">request)</text>
                  <text x="452" y="484">signed</text>
                  <text x="492" y="484">by</text>
                  <text x="520" y="484">the</text>
                  <text x="436" y="500">CA</text>
                  <text x="460" y="500">or</text>
                  <text x="484" y="500">an</text>
                  <text x="512" y="500">LRA</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
Full PKI Request                        Full PKI Response
-----------------------                 ------------------------
 +----------------+                      +----------------+
 | CMS ContentInfo|                      | CMS ContentInfo|
 | CMS SignedData |                      | CMS SignedData |
 |   or Auth Data |                      |   or Auth Data |
 |     object     |                      |     object     |
 +----------------+--------+             +----------------+--------+
 |                         |             |                         |
 | PKIData                 |             | PKIResponse             |
 |                         |             |                         |
 | Sequence of:            |             | Sequence of:            |
 | <enrollment control>*   |             | <enrollment control>*   |
 | <certification request>*|             | <CMS object>*           |
 | <CMS object>*           |             | <other message>*        |
 | <other message>*        |             |                         |
 |                         |             | where * == zero or more |
 | where * == zero or more |             |                         |
 |                         |             | All certificates issued |
 | Certification requests  |             | as part of the response |
 | are CRMF, PKCS #10, or  |             | are included in the     |
 | Other.                  |             | "certificates" field    |
 |                         |             | of the SignedData.      |
 +-------+-----------------+             | Relevant CA certs and   |
         | signed (keypair |             | CRLs can be included as |
         | used may be pre-|             | well.                   |
         | existing or     |             |                         |
         | identified in   |             +---------+---------------+
         | the request)    |                       | signed by the |
         +-----------------+                       | CA or an LRA  |
                                                   +---------------+]]></artwork>
          </artset>
        </figure>
      </section>
    </section>
    <section anchor="PKIRequests">
      <name>PKI Requests</name>
      <t>Two types of PKI Requests exist. This section gives the details for
both types.</t>
      <section anchor="SimplePKIRequest">
        <name>Simple PKI Request</name>
        <t>A Simple PKI Request uses the PKCS #10 syntax <tt>CertificationRequest</tt>
<xref target="RFC2986"/>.</t>
        <t>When a server processes a Simple PKI Request, the PKI Response
returned is:</t>
        <ul spacing="normal">
          <li>
            <t>Simple PKI Response on success.</t>
          </li>
          <li>
            <t>Full PKI Response on failure. The server <bcp14>MAY</bcp14> choose not to return a
   PKI Response in this case.</t>
          </li>
        </ul>
        <t>The Simple PKI Request <bcp14>MUST NOT</bcp14> be used if a Proof-of-Identity needs
to be included.</t>
        <t>The Simple PKI Request cannot be used if the private key is not
	capable of producing some type of signature.</t>
	<aside><t>Note: Diffie-Hellman
(DH) and Elliptic Curve Diffie-Hellman (ECDH) keys can use the
integrity check algorithms in <xref target="RFC6955"/> to prove they have access to the corresponding private key.</t></aside>
        <t>The Simple PKI Request cannot be used for any of the advanced
services specified in this document.</t>
        <t>The client <bcp14>MAY</bcp14> incorporate one or more X.509v3 extensions in any
certification request based on PKCS #10 as an <tt>ExtensionReq</tt> attribute.
The <tt>ExtensionReq</tt> attribute is defined as:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  ExtensionReq ::= SEQUENCE SIZE (1..MAX) OF Extension]]></sourcecode>

        <t>where <tt>Extension</tt> is imported from <xref target="RFC5280"/> <xref target="RFC5912"/> and <tt>ExtensionReq</tt> is
identified by:</t>

        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-ExtensionReq OBJECT IDENTIFIER ::= { iso(1) member-body(2)
    us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 14 }]]></sourcecode>

        <t>Servers <bcp14>MUST</bcp14> be able to process all extensions defined, but not
prohibited, in <xref target="RFC5280"/>. Servers are not required to be able to
process other X.509v3 extensions transmitted using this protocol, nor
are they required to be able to process private extensions. Servers
are not required to put all client-requested extensions into a
certificate. Servers are permitted to modify client-requested
extensions. Servers <bcp14>MUST NOT</bcp14> alter an extension so as to invalidate
the original intent of a client-requested extension. (For example,
changing key usage from <tt>keyAgreement</tt> to <tt>digitalSignature</tt>.) If a
certification request is denied due to the inability to handle a
requested extension and a PKI Response is returned, the server <bcp14>MUST</bcp14>
return a PKI Response with a <tt>CMCFailInfo</tt> value with the value
<tt>unsupportedExt</tt>.</t>
      </section>
      <section anchor="FullPKIRequest">
        <name>Full PKI Request</name>
        <t>The Full PKI Request provides the most functionality and flexibility.</t>
        <t>The Full PKI Request is encapsulated in either a <tt>SignedData</tt> or an
<tt>AuthenticatedData</tt> with an encapsulated content type of <tt>id-cct-PKIData</tt>
(<xref target="PKIDataContentType"/>).</t>
        <t>When a server processes a Full PKI Request, a PKI Response <bcp14>MUST</bcp14> be
returned. The PKI Response returned is:</t>
        <ul spacing="normal">
          <li>
            <t>Simple PKI Response if the enrollment was successful and only
   certificates are returned. (An Extended CMC Status Info V2 control with
   success is implied.)</t>
          </li>
          <li>
            <t>Full PKI Response if the enrollment was successful and information
   is returned in addition to certificates, if the enrollment is
   pending, or if the enrollment failed.</t>
          </li>
        </ul>
        <t>If <tt>SignedData</tt> is used, the signature can be generated using either
the private key material of an embedded signature certification
request (i.e., included in the <tt>TaggedRequest</tt> <tt>tcr</tt> or <tt>crm</tt> fields) or a
previously certified signature key. If the private key of a
signature certification request is used, then:</t>
        <ol spacing="normal" type="1"><li>
            <t>The certification request containing the corresponding public key
<bcp14>MUST</bcp14> include a Subject Key Identifier extension.</t>
          </li>
          <li>
            <t>The <tt>subjectKeyIdentifier</tt> form of the <tt>signerIdentifier</tt> in
<tt>SignerInfo</tt> <bcp14>MUST</bcp14> be used.</t>
          </li>
          <li>
            <t>The value of the <tt>subjectKeyIdentifier</tt> form of <tt>SignerInfo</tt> <bcp14>MUST</bcp14> be
the Subject Key Identifier specified in the corresponding
certification request. (The <tt>subjectKeyIdentifier</tt> form of
<tt>SignerInfo</tt> is used here because no certificates have yet been
issued for the signing key.) If the request key is used for
signing, there <bcp14>MUST</bcp14> be only one <tt>SignerInfo</tt> in the <tt>SignedData</tt>.</t>
          </li>
        </ol>
        <t>If <tt>AuthenticatedData</tt> is used, then:</t>
        <ol spacing="normal" type="1"><li>
            <t>The Password Recipient Info option of <tt>RecipientInfo</tt> <bcp14>MUST</bcp14> be used.</t>
          </li>
          <li>
            <t>A randomly generated key is used to compute the Message
Authentication Code (MAC) value on the encapsulated content.</t>
          </li>
          <li>
            <t>The input for the key derivation algorithm is a concatenation of
the identifier (encoded as UTF-8) and the shared-secret.</t>
          </li>
        </ol>
        <t>When creating a PKI Request to renew or rekey a certificate:</t>
        <ol spacing="normal" type="1"><li>
            <t>The Identification and Identity Proof controls are absent. The
same information is provided by the use of an existing
certificate from a CA when signing the PKI Request. In this
case, the CA that issued the original certificate and the CA the
request is made to will usually be the same, but they could have a
common operator.</t>
          </li>
          <li>
            <t>CAs and RAs can impose additional restrictions on the signing
certificate used. They may require that the most recently issued
signing certificate for a client be used.</t>
          </li>
          <li>
            <t>Some CAs may prevent renewal operations (i.e., reuse of the same
keys). In this case, the CA <bcp14>MUST</bcp14> return a PKI Response with
<tt>noKeyReuse</tt> as the <tt>CMCFailInfo</tt> failure code.</t>
          </li>
        </ol>
        <section anchor="PKIDataContentType">
          <name><tt>PKIData</tt> Content Type</name>
          <t>The <tt>PKIData</tt> content type is used for the Full PKI Request. A <tt>PKIData</tt>
content type is identified by:</t>
          <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cct-PKIData OBJECT IDENTIFIER ::= { id-pkix id-cct(12) 2 }]]></sourcecode>

          <t>The ASN.1 structure corresponding to the <tt>PKIData</tt> content type is:</t>

          <sourcecode type="asn.1" markers="false"><![CDATA[
  PKIData ::= SEQUENCE {
    controlSequence    SEQUENCE SIZE (0..MAX) OF TaggedAttribute,
    reqSequence        SEQUENCE SIZE (0..MAX) OF TaggedRequest,
    cmsSequence        SEQUENCE SIZE (0..MAX) OF TaggedContentInfo,
    otherMsgSequence   SEQUENCE SIZE (0..MAX) OF OtherMsg
  }]]></sourcecode>

          <t>The fields in <tt>PKIData</tt> have the following meanings:</t>
          <ul spacing="normal">
            <li>
              <t><tt>controlSequence</tt> is a sequence of controls. The
              controls defined in this document are found in <xref
              target="Controls"/>. Controls can be defined by other
              parties. Details on the <tt>TaggedAttribute</tt> structure can be found
              in <xref target="ControlSyntax"/>.</t>
            </li>
            <li>
              <t><tt>reqSequence</tt> is a sequence of certification requests. The
   certification requests can be a <tt>CertificationRequest</tt> (PKCS #10), a
   <tt>CertReqMsg</tt> (CRMF), or an externally defined PKI Request. Full
   details are found in <xref target="CertificationRequestFormats"/>. If an externally defined
   certification request is present, but the server does not
   understand the certification request (or will not process it), a
   <tt>CMCStatus</tt> of <tt>noSupport</tt> <bcp14>MUST</bcp14> be returned for the certification
   request item and no other certification requests are processed.</t>
            </li>
            <li>
              <t><tt>cmsSequence</tt> is a sequence of CMS (see <xref target="RFC5652"/>) message objects. See
   <xref target="ContentInfoObjects"/> for more details.</t>
            </li>
            <li>
              <t><tt>otherMsgSequence</tt> is a sequence of arbitrary data objects. Data
   objects placed here are referred to by one or more controls. This
   allows for controls to use large amounts of data without the data
   being embedded in the control. See <xref target="OtherMessageBodies"/> for more
   details.</t>
            </li>
          </ul>

          <t>All certification requests encoded into a single <tt>PKIData</tt> <bcp14>SHOULD</bcp14> be
for the same identity. RAs that batch process (see <xref target="BatchRequestandResponseControls"/>) are
expected to place the PKI Requests received into the <tt>cmsSequence</tt> of a
<tt>PKIData</tt>.</t>
          <t>Processing of the <tt>PKIData</tt> by a recipient is as follows:</t>
          <ol spacing="normal" type="1"><li>
              <t>All controls should be examined and processed in an appropriate
manner. The appropriate processing is to complete processing at
this time, to ignore the control, or to place the control on a
to-do list for later processing. Controls can be processed in
any order; the order in the sequence is not significant.</t>
            </li>
            <li>
              <t>Items in the <tt>reqSequence</tt> are not referenced by a control. These
items, which are certification requests, also need to be
processed. As with controls, the appropriate processing can be
either immediate processing or addition to a to-do list for later
processing.</t>
            </li>
            <li>
              <t>Finally, the to-do list is processed. In many cases, the to-do
list will be ordered by grouping specific tasks together.</t>
            </li>
          </ol>
          <t>No processing is required for <tt>cmsSequence</tt> or <tt>otherMsgSequence</tt> members
of <tt>PKIData</tt> if they are present and are not referenced by a control.
In this case, the <tt>cmsSequence</tt> and <tt>otherMsgSequence</tt> members are
ignored.</t>
          <section anchor="ControlSyntax">
            <name>Control Syntax</name>
            <t>The actions to be performed for a PKI Request/Response are based on
the included controls. Each control consists of an OID
and a value based on the OID.</t>
            <t>The syntax of a control is:</t>
            <sourcecode type="asn.1" markers="false"><![CDATA[
  TaggedAttribute ::= SEQUENCE {
    bodyPartID         BodyPartID,
    attrType           CMC-CONTROL.&id({Cmc-Control-Set}),
    attrValues         SET OF CMC-CONTROL.
                           &Type({Cmc-Control-Set}{@attrType})
  }]]></sourcecode>

            <t>The fields in <tt>TaggedAttribute</tt> have the following meanings:</t>
            <ul spacing="normal">
              <li>
                <t><tt>bodyPartID</tt> is a unique integer that identifies this control.</t>
              </li>
              <li>
                <t><tt>attrType</tt> is the OID that identifies the control.</t>
              </li>
              <li>
                <t><tt>attrValues</tt> is comprised of the data values used in processing the control. The
   structure of the data is dependent on the specific
   control.</t>
              </li>
            </ul>

            <t>The final server <bcp14>MUST</bcp14> fail the processing of an entire <tt>PKIData</tt> if any
included control is not recognized, that control is not already
marked as processed by a Control Processed control (see <xref target="ControlProcessedControl"/>),
and no other error is generated. The PKI Response <bcp14>MUST</bcp14> include a
<tt>CMCFailInfo</tt> value with the value <tt>badRequest</tt> and the <tt>bodyList</tt> <bcp14>MUST</bcp14>
contain the <tt>bodyPartID</tt> of the invalid or unrecognized control(s). A
server is the final server if and only if it is not passing the PKI
Request on to another server. A server is not considered to be the
final server if the server would have passed the PKI Request on, but
instead it returned a processing error.</t>
            <t>The controls defined by this document are found in <xref target="Controls"/>.</t>
          </section>
          <section anchor="CertificationRequestFormats">
            <name>Certification Request Formats</name>
            <t>Certification requests are based on PKCS #10, CRMF, or Other Request
formats. <xref target="PKCS10CertificationSyntax"/> specifies the requirements for clients
and servers dealing with PKCS #10. <xref target="CRMFCertificationSyntax"/> specifies the
requirements for clients and servers dealing with CRMF.
<xref target="OtherCertificationRequest"/> specifies the requirements for clients and servers
dealing with Other Requests.</t>
            <sourcecode type="asn.1" markers="false"><![CDATA[
  TaggedRequest ::= CHOICE {
    tcr               [0] TaggedCertificationRequest,
    crm               [1] CertReqMsg,
    orm               [2] SEQUENCE {
      bodyPartID            BodyPartID,
      requestMessageType    OTHER-REQUEST.&id({OtherRequests}),
      requestMessageValue   OTHER-REQUEST.&Type({OtherRequests}
                                {@.requestMessageType})
    }
  }]]></sourcecode>

            <t>The fields in <tt>TaggedRequest</tt> have the following meanings:</t>
            <ul spacing="normal">
              <li>
                <t><tt>tcr</tt> is a certification request that uses the PKCS
                #10 syntax.  Details on PKCS #10 are found in <xref
                target="PKCS10CertificationSyntax"/>.</t>
              </li>
              <li>
                <t><tt>crm</tt> is a certification request that uses the CRMF
                syntax. Details on CRMF are found in <xref
                target="CRMFCertificationSyntax"/>.</t>
              </li>
              <li>
                <t><tt>orm</tt> is an externally defined certification
                request. One example is an attribute certification request.
                The fields of this structure are:</t>
                <ul spacing="normal">
                  <li>
                    <t><tt>bodyPartID</tt> is the identifier number for this
                    certification request. Details on body part identifiers
                    are found in <xref target="BodyPartIdentification"/>.</t>
                  </li>
                  <li>
                    <t><tt>requestMessageType</tt> identifies the other
                    request type. These values are defined outside of this
                    document.</t>
                  </li>
                  <li>
                    <t><tt>requestMessageValue</tt> is the data associated
                    with the other request type.</t>
                  </li>
		</ul>
              </li>
            </ul>

            <section anchor="PKCS10CertificationSyntax">
              <name>PKCS #10 Certification Syntax</name>
              <t>A certification request based on PKCS #10 uses the following ASN.1
structure:</t>
              <sourcecode type="asn.1" markers="false"><![CDATA[
  TaggedCertificationRequest ::= SEQUENCE {
    bodyPartID            BodyPartID,
    certificationRequest  CertificationRequest
  }]]></sourcecode>

              <t>The fields in <tt>TaggedCertificationRequest</tt> have the following meanings:</t>
              <ul spacing="normal">
                <li>
                  <t><tt>bodyPartID</tt> is the identifier number for this
                  certification request.  Details on body part identifiers are
                  found in <xref target="BodyPartIdentification"/>.</t>
                </li>
                <li>
                  <t><tt>certificationRequest</tt> contains the certification request based on PKCS #10.  Its fields are described in <xref
                  target="RFC2986"/>.</t>
                </li>
              </ul>

              <t>When producing a certification request based on PKCS #10, clients
<bcp14>MUST</bcp14> produce the certification request with a subject name and public
key. Some PKI products are operated using a central repository of
information to assign subject names upon receipt of a certification
request. To accommodate this mode of operation, the <tt>subject</tt> field in
a <tt>CertificationRequest</tt> <bcp14>MAY</bcp14> be <tt>NULL</tt>, but it <bcp14>MUST</bcp14> be present. CAs that
receive a <tt>CertificationRequest</tt> with a <tt>NULL</tt> <tt>subject</tt> field <bcp14>MAY</bcp14> reject
such certification requests.  If rejected and a PKI Response is
returned, the CA <bcp14>MUST</bcp14> return a PKI Response with the <tt>CMCFailInfo</tt>
value with the value <tt>badRequest</tt>.</t>
            </section>
            <section anchor="CRMFCertificationSyntax">
              <name>CRMF Certification Syntax</name>
              <t>A CRMF message uses the following ASN.1 structure (defined in <xref target="RFC4211"/><xref target="RFC5912"/>
and included here for convenience):</t>
              <sourcecode type="asn.1" markers="false"><![CDATA[
  CertReqMsg ::= SEQUENCE {
    certReq   CertRequest,
    popo      ProofOfPossession  OPTIONAL,
    -- content depends upon key type
    regInfo   SEQUENCE SIZE (1..MAX) OF
                SingleAttribute{{RegInfoSet}} OPTIONAL }

  CertRequest ::= SEQUENCE {
    certReqId     INTEGER,
                    -- ID for matching request and reply
    certTemplate  CertTemplate,
                    -- Selected fields of cert to be issued
    controls      Controls OPTIONAL }
                    -- Attributes affecting issuance

  CertTemplate ::= SEQUENCE {
    version      [0] Version               OPTIONAL,
    serialNumber [1] INTEGER               OPTIONAL,
    signingAlg   [2] AlgorithmIdentifier{SIGNATURE-ALGORITHM,
                         {SignatureAlgorithms}} OPTIONAL,
    issuer       [3] Name                  OPTIONAL,
    validity     [4] OptionalValidity      OPTIONAL,
    subject      [5] Name                  OPTIONAL,
    publicKey    [6] SubjectPublicKeyInfo  OPTIONAL,
    issuerUID    [7] UniqueIdentifier      OPTIONAL,
    subjectUID   [8] UniqueIdentifier      OPTIONAL,
    extensions   [9] Extensions{{CertExtensions}}  OPTIONAL }]]></sourcecode>

              <t>The fields in <tt>CertReqMsg</tt> are explained in <xref target="RFC4211"/>.</t>
              <t>This document imposes the following additional restrictions on the
construction and processing of CRMF:</t>
              <ul spacing="normal">
                <li>
                  <t>When a Full PKI Request includes a CRMF, both the <tt>subject</tt> and <tt>publicKey</tt> fields in the
                  <tt>CertTemplate</tt> <bcp14>MUST</bcp14> be defined. The <tt>subject</tt>
                  field can be encoded as <tt>NULL</tt>, but it <bcp14>MUST</bcp14> be
                  present.</t>
                </li>
                <li>
                  <t>When both CRMF and CMC controls exist with equivalent
                  functionality, the CMC control <bcp14>SHOULD</bcp14> be
                  used. The CMC control <bcp14>MUST</bcp14> override the CRMF
                  control.</t>
                </li>
                <li>
                  <t>The <tt>regInfo</tt> field <bcp14>MUST NOT</bcp14> be used on a
                  CRMF. Equivalent functionality is
                  provided in the CMC <tt>regInfo</tt> control (<xref
                  target="RegistrationandResponseInformationControls"/>).</t>
                </li>
                <li>
                  <t>The indirect method of proving POP is not supported in
                  this protocol. One of the other methods (including the
                  direct method described in this document)
                  <bcp14>MUST</bcp14> be used. The value of <tt>encrCert</tt> in
                  <tt>SubsequentMessage</tt> <bcp14>MUST NOT</bcp14> be used.</t>
                </li>
                <li>
                  <t>Since the <tt>subject</tt> and <tt>publicKey</tt> fields are always present,
                  the <tt>POPOSigningKeyInput</tt> <bcp14>MUST NOT</bcp14> be used when
                  computing the value for <tt>POPSigningKey</tt>.</t>
                </li>
              </ul>
              <t>A server is not required to use all of the values suggested by the
client in the CRMF. Servers <bcp14>MUST</bcp14> be able to
process all extensions defined, but not prohibited, in <xref target="RFC5280"/>.
Servers are not required to be able to process other X.509v3
extensions transmitted using this protocol, nor are they required to
be able to process private extensions. Servers are permitted to
modify client-requested extensions. Servers <bcp14>MUST NOT</bcp14> alter an
extension so as to invalidate the original intent of a client-requested extension. (For example, change key usage from
<tt>keyAgreement</tt> to <tt>digitalSignature</tt>.)  If a certification request is
denied due to the inability to handle a requested extension and a Full PKI Response is returned, the
server <bcp14>MUST</bcp14> return a <tt>CMCFailInfo</tt> value
with the value of <tt>unsupportedExt</tt>.</t>
            </section>
            <section anchor="OtherCertificationRequest">
              <name>Other Certification Request</name>
              <t>This document allows for other certification request formats to be
defined and used as well. An example of another certification
request format is one for Attribute Certificates. These other
certification request formats are defined by specifying an OID for
identification and the structure to contain the data to be passed.</t>
            </section>
          </section>
          <section anchor="ContentInfoObjects">
            <name>Content Info Objects</name>
            <t>The <tt>cmsSequence</tt> field of the <tt>PKIData</tt> and <tt>PKIResponse</tt> messages
contains zero or more tagged content info objects. The syntax for
this structure is:</t>
            <sourcecode type="asn.1" markers="false"><![CDATA[
  TaggedContentInfo ::= SEQUENCE {
    bodyPartID              BodyPartID,
    contentInfo             ContentInfo
  }]]></sourcecode>

            <t>The fields in <tt>TaggedContentInfo</tt> have the following meanings:</t>
            <ul spacing="normal">
              <li>
                <t><tt>bodyPartID</tt> is a unique integer that identifies
                this content info object.</t>
              </li>
              <li>
                <t><tt>contentInfo</tt> is a <tt>ContentInfo</tt> object (defined in <xref target="RFC5652"/>).</t>
              </li>
            </ul>

            <t>The five content types used in <tt>cmsSequence</tt> are <tt>AuthenticatedData</tt>,
<tt>Data</tt>, <tt>EnvelopedData</tt>, <tt>SignedData</tt>, and <tt>AuthEnvelopedData</tt>. The
first four content types are defined in <xref target="RFC5652"/> and the last is
defined in <xref target="RFC5083"/>.</t>
            <section anchor="AuthenticatedData">
              <name>Authenticated Data</name>
              <t>The <tt>AuthenticatedData</tt> content type provides a method of doing pre-shared-secret-based validation of data being sent between two
parties. Unlike <tt>SignedData</tt>, it does not specify which party actually
generated the information.</t>
              <t><tt>AuthenticatedData</tt> provides origination authentication in those
circumstances where a shared-secret exists, but a PKI-based trust has
not yet been established. No PKI-based trust may have been
established because a trust anchor has not been installed on the
client or no certificate exists for a signing key.</t>
              <t><tt>AuthenticatedData</tt> content type is used by this document for:</t>
              <ul spacing="normal">
                <li>
                  <t>The <tt>id-cmc-authData</tt> control (<xref target="AuthenticatedDataControl"/>), and</t>
                </li>
                <li>
                  <t>The top-level wrapper in environments where an encryption-only key
  is being certified or where a shared-secret exists, but a PKI-based
  trust (needed for <tt>SignedData</tt>) has not yet been established.</t>
                </li>
              </ul>

              <t>This content type can include both <tt>PKIData</tt> and <tt>PKIResponse</tt> as the
encapsulated content types. These embedded content types can contain
additional controls that need to be processed.</t>
            </section>
            <section anchor="Data">
              <name>Data</name>
              <t>The <tt>Data</tt> content type allows for general transport of unstructured
data.</t>
              <t>The <tt>Data</tt> content type is used by this document for:</t>
              <ul spacing="normal">
                <li>
                  <t>Holding the encrypted random value y for POP in the
  Encrypted POP control (see <xref target="EncryptedandDecryptedPOPControls"/>).</t>
                </li>
              </ul>
            </section>
            <section anchor="EnvelopedData">
              <name>Enveloped Data</name>
              <t>The <tt>EnvelopedData</tt> content type provides for the shrouding of data.</t>
              <t>The <tt>EnvelopedData</tt> content type is one confidentiality method
for sensitive information in this protocol. <tt>EnvelopedData</tt> can
provide encryption of an entire PKI Request (see <xref target="ApplicationofEncryptiontoaPKIRequestResponse"/>).

<tt>EnvelopedData</tt> can also be used to wrap private key material that is to be archived. If the decryption on an <tt>EnvelopedData</tt> fails, a Full PKI
Response is returned with a <tt>CMCFailInfo</tt> value of <tt>badMessageCheck</tt> and
a <tt>bodyPartID</tt> of 0.</t>
            </section>
            <section anchor="SignedData">
              <name>Signed Data</name>
              <t>The <tt>SignedData</tt> content type provides for authentication and
integrity.</t>
              <t>The <tt>SignedData</tt> content type is used by this document for:</t>
              <ul spacing="normal">
                <li>
                  <t>The outer wrapper for a PKI Request.</t>
                </li>
                <li>
                  <t>The outer wrapper for a PKI Response.</t>
                </li>
              </ul>

              <t>As part of processing a PKI Request/Response, the signature(s) <bcp14>MUST</bcp14>
be verified. If the signature does not verify and the PKI Request/Response contains anything other than an Extended CMC Status Info or a CMC Status Info control, a
Full PKI Response containing an Extended CMC Status Info or a CMC Status Info control <bcp14>MUST</bcp14> be
returned using a <tt>CMCFailInfo</tt> with a value of <tt>badMessageCheck</tt> and a
<tt>bodyPartID</tt> of 0.</t>
              <t>For the PKI Response, <tt>SignedData</tt> allows the server to sign the
returning data, if any exists, and to carry the certificates and CRLs
corresponding to the PKI Request. If no data is being returned
beyond the certificates and CRLs, there is no <tt>eContent</tt> field in the
<tt>EncapsulatedContentInfo</tt> and no <tt>SignerInfo</tt>.</t>
              <t>Only if the server is unable to sign the response (and unable to use
any <tt>RecipientInfo</tt> options of the <tt>AuthenticatedData</tt> content type),
should it send a negative response.  A Full PKI Response <tt>SignedData</tt> type
containing an Extended CMC Status Info or a CMC Status Info control <bcp14>MUST</bcp14> be returned using a <tt>CMCFailInfo</tt>
with a value of <tt>internalCAError</tt> and a <tt>bodyPartID</tt> of 0, and the <tt>eContent</tt> field
in the <tt>EncapsulatedContentInfo</tt> as well as <tt>SignerInfo</tt> fields <bcp14>MUST NOT</bcp14> be populated.</t>
            </section>
            <section anchor="AuthEnvelopedData">
              <name>Authenticated Enveloped Data</name>
              <t>The <tt>AuthEnvelopedData</tt> content type provides for the shrouding of data.</t>
              <t>The <tt>AuthEnvelopedData</tt> content type is the primary confidentiality method
for sensitive information in this protocol. <tt>AuthEnvelopedData</tt> can
provide encryption of an entire PKI Request (see <xref target="ApplicationofEncryptiontoaPKIRequestResponse"/>).
<tt>AuthEnvelopedData</tt> can also be used to wrap private key material that is to be archived. If the decryption on an <tt>AuthEnvelopedData</tt> fails, a Full PKI
Response is returned with a <tt>CMCFailInfo</tt> value of <tt>badMessageCheck</tt> and
a <tt>bodyPartID</tt> of 0.</t>
            </section>
          </section>
          <section anchor="OtherMessageBodies">
            <name>Other Message Bodies</name>
            <t>The <tt>otherMsgSequence</tt> field of the PKI Request/Response allows for
arbitrary data objects to be carried as part of a PKI
Request/Response. This is intended to contain a data object that is not
already wrapped in a <tt>cmsSequence</tt> field (<xref target="ContentInfoObjects"/>). The data
object is ignored unless a control references the data object by
<tt>bodyPartID</tt>.</t>
            <sourcecode type="asn.1" markers="false"><![CDATA[
  OtherMsg ::= SEQUENCE {
    bodyPartID      BodyPartID,
    otherMsgType    OTHER-MSG.&id({OtherMsgSet}),
    otherMsgValue   OTHER-MSG.&Type({OtherMsgSet}{@otherMsgType}) }]]></sourcecode>

            <t>The fields in <tt>OtherMsg</tt> have the following meanings:</t>
            <ul spacing="normal">
              <li>
                <t><tt>bodyPartID</tt> is the unique id identifying this data object.</t>
              </li>
              <li>
                <t><tt>otherMsgType</tt> is the OID that defines the type of message body.</t>
              </li>
              <li>
                <t><tt>otherMsgValue</tt> is the data.</t>
              </li>
            </ul>

          </section>
        </section>
        <section anchor="BodyPartIdentification">
          <name>Body Part Identification</name>
          <t>Each element of a <tt>PKIData</tt> or <tt>PKIResponse</tt> has an associated body part
identifier. The body part identifier is a 4-octet integer using the
ASN.1 of:</t>
          <sourcecode type="asn.1" markers="false"><![CDATA[
  bodyIdMax INTEGER ::= 4294967295

  BodyPartID ::= INTEGER(0..bodyIdMax)]]></sourcecode>

          <t>Body part identifiers are encoded in the <tt>certReqIds</tt> field for
<tt>CertReqMsg</tt> objects (in a <tt>TaggedRequest</tt>) or in the <tt>bodyPartID</tt> field of
the other objects. The body part identifier <bcp14>MUST</bcp14> be unique within a
single <tt>PKIData</tt> or <tt>PKIResponse</tt>. Body part identifiers can be
duplicated in different layers (for example, a <tt>PKIData</tt> embedded
within another).</t>
          <t>The <tt>bodyPartID</tt> value of 0 is reserved for use as the reference to the
current <tt>PKIData</tt> object.</t>
          <t>Some controls, such as the Add Extensions control (<xref target="AddExtensionsControl"/>),
use the body part identifier in the <tt>pkiDataReference</tt> field to refer
to a PKI Request in the current <tt>PKIData</tt>. Some controls, such as the
Extended CMC Status Info control (<xref target="extCMCStatusInfo"/>), will also use body
part identifiers to refer to elements in the previous PKI Request/Response. This allows an error to be explicit about the control or
PKI Request to which the error applies.</t>
          <t>A <tt>BodyPartList</tt> contains a list of body parts in a PKI
          Request/Response (i.e., the Batch Request control in <xref target="BatchRequestandResponseControls"/>). The
ASN.1 type <tt>BodyPartList</tt> is defined as:</t>
          <sourcecode type="asn.1" markers="false"><![CDATA[
  BodyPartList ::= SEQUENCE SIZE (1..MAX) OF BodyPartID]]></sourcecode>

          <t>A <tt>BodyPartPath</tt> contains a path of body part identifiers moving
through nesting (i.e., the Modify Certification Request control in
<xref target="ModifyCertificationRequestControl"/>). The ASN.1 type <tt>BodyPartPath</tt> is defined as:</t>

          <sourcecode type="asn.1" markers="false"><![CDATA[
  BodyPartPath ::= SEQUENCE SIZE (1..MAX) OF BodyPartID]]></sourcecode>

        </section>
        <section anchor="CMCUnsignedDataAttribute">
          <name>CMC Unsigned Data Attribute</name>
          <t>There is sometimes a need to include data in a PKI Request designed
to be removed by an RA during processing. An example of this is the
inclusion of an encrypted private key, where a Key Archive Agent
removes the encrypted private key before sending it on to the CA.
One side effect of this desire is that every RA that encapsulates
this information needs to move the data so that it is not covered by
that RA's signature. (A client PKI Request encapsulated by an RA
cannot have a signed control removed by the Key Archive Agent without
breaking the RA's signature.) The CMC Unsigned Data attribute
addresses this problem.</t>
          <t>The CMC Unsigned Data attribute contains information that is not
directly signed by a client. When an RA encounters this attribute in
the unsigned or unauthenticated attribute field of a request it is
aggregating, the CMC Unsigned Data attribute is removed from the
request prior to placing the request in a <tt>cmsSequence</tt> and placed in
the unsigned or unauthenticated attributes of the RA's signed or
authenticated data wrapper.</t>
          <t>The CMC Unsigned Data attribute is identified by:</t>
          <sourcecode type="asn.1" markers="false"><![CDATA[
  id-aa-cmc-unsignedData OBJECT IDENTIFIER ::= { id-aa 34 }]]></sourcecode>

          <t>The CMC Unsigned Data attribute has the ASN.1 definition:</t>

          <sourcecode type="asn.1" markers="false"><![CDATA[
  CMCUnsignedData ::= SEQUENCE {
    bodyPartPath        BodyPartPath,
    identifier          TYPE-IDENTIFIER.&id,
    content             TYPE-IDENTIFIER.&Type
  }]]></sourcecode>

          <t>The fields in <tt>CMCUnsignedData</tt> have the following meanings:</t>
          <ul spacing="normal">
            <li>
              <t><tt>bodyPartPath</tt> is the path pointing to the control associated
              with this data. When an RA moves the control in an unsigned or
              unauthenticated attribute up one level as part of wrapping the
              data in a new <tt>SignedData</tt> or <tt>AuthenticatedData</tt>, the body part
              identifier of the embedded item in the <tt>PKIData</tt> is prepended to
              the <tt>bodyPartPath</tt> sequence.</t>
            </li>
            <li>
              <t><tt>identifier</tt> is the OID that defines the associated data.</t>
            </li>
            <li>
              <t><tt>content</tt> is the data.</t>
            </li>
          </ul>

          <t>There <bcp14>MUST</bcp14> be at most one CMC Unsigned Data attribute in the
<tt>UnsignedAttribute</tt> sequence of a <tt>SignerInfo</tt> or in the
<tt>UnauthenticatedAttribute</tt> sequence of an <tt>AuthenticatedData</tt>.
<tt>UnsignedAttribute</tt> consists of a set of values; the attribute can have
any number of values greater than zero in that set. If the CMC
Unsigned Data attribute is in one <tt>SignerInfo</tt> or <tt>AuthenticatedData</tt>, it
<bcp14>MUST</bcp14> appear with the same values(s) in all <tt>SignerInfo</tt> and
<tt>AuthenticatedData</tt> items.</t>
        </section>
      </section>
    </section>
    <section anchor="PKIResponses">
      <name>PKI Responses</name>
      <t>Two types of PKI Responses exist. This section gives the details on
both types.</t>
      <section anchor="SimplePKIResponse">
        <name>Simple PKI Response</name>
        <t>Clients <bcp14>MUST</bcp14> be able to process the Simple PKI Response. The Simple
PKI Response consists of a <tt>SignedData</tt> with no <tt>EncapsulatedContentInfo</tt>
and no <tt>SignerInfo</tt>. The certificates requested in the PKI Response
	are returned in the certificate field of the <tt>SignedData</tt>.</t>


        <t>Clients <bcp14>MUST NOT</bcp14> assume the certificates are in any order. Servers
<bcp14>SHOULD</bcp14> include all intermediate certificates needed to form complete
certification paths to one or more trust anchors, not just the newly
issued certificate(s). The server <bcp14>MAY</bcp14> additionally return CRLs in
the <tt>crls</tt> field. Servers <bcp14>MAY</bcp14> include the self-signed certificates.
Clients <bcp14>MUST NOT</bcp14> implicitly trust an included self-signed certificate(s)
merely due to its presence in the <tt>certificates</tt> field. In the event
clients receive a new self-signed certificate from the server,
clients <bcp14>SHOULD</bcp14> provide a mechanism to enable the user to use the
	certificate as a trust anchor.</t>
	<aside><t>Note: The Publish Trust Anchors control
(<xref target="PublishTrustAnchorsControl"/>) should be used in the event that the server intends
the client to accept one or more certificates as trust anchors. This
requires the use of the Full PKI Response message.</t></aside>
      </section>
      <section anchor="FullPKIResponse">
        <name>Full PKI Response</name>
        <t>Clients <bcp14>MUST</bcp14> be able to process a Full PKI Response.</t>
        <t>The Full PKI Response consists of a <tt>SignedData</tt> or <tt>AuthenticatedData</tt>
encapsulating a <tt>PKIResponse</tt> content type. The certificates issued in
a PKI Response are returned in the <tt>certificates</tt> field of the
immediately encapsulating <tt>SignedData</tt>.</t>
        <t>Clients <bcp14>MUST NOT</bcp14> assume the certificates are in any order. Servers
<bcp14>SHOULD</bcp14> include all intermediate certificates needed to form complete
chains to one or more trust anchors, not just the newly issued
certificate(s). The server <bcp14>MAY</bcp14> additionally return CRLs in the CRL
bag. Servers <bcp14>MAY</bcp14> include self-signed certificates. Clients <bcp14>MUST NOT</bcp14>
implicitly trust an included self-signed certificate(s) merely due to
its presence in the <tt>certificates</tt> field. In the event clients receive a
new self-signed certificate from the server, clients <bcp14>MAY</bcp14> provide a
mechanism to enable the user to explicitly use the certificate as a
	trust anchor.</t>
	<aside><t>Note: The Publish Trust Anchors control (<xref target="PublishTrustAnchorsControl"/>)
exists for the purpose of allowing for distribution of trust anchor
certificates. If a trusted anchor publishes a new trusted anchor,
this is one case where automated trust of the new trust anchor could
be allowed.</t></aside>
        <section anchor="PKIResponseContentType">
          <name><tt>PKIResponse</tt> Content Type</name>
          <t>The <tt>PKIResponse</tt> content type is used for the Full PKI Response. The
<tt>PKIResponse</tt> content type is identified by:</t>
          <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cct-PKIResponse OBJECT IDENTIFIER ::= { id-pkix id-cct(12) 3  }]]></sourcecode>

          <t>The ASN.1 structure corresponding to the <tt>PKIResponse</tt> content type is:</t>

          <sourcecode type="asn.1" markers="false"><![CDATA[
  PKIResponse ::= SEQUENCE {
    controlSequence   SEQUENCE SIZE (0..MAX) OF TaggedAttribute,
    cmsSequence       SEQUENCE SIZE (0..MAX) OF TaggedContentInfo,
    otherMsgSequence  SEQUENCE SIZE (0..MAX) OF OtherMsg
    }

  ResponseBody ::= PKIResponse]]></sourcecode>

          <aside><t>Note: In <xref target="RFC2797"/>, this ASN.1 type was named <tt>ResponseBody</tt>. It has
been renamed to <tt>PKIResponse</tt> for clarity and the old name kept as a
synonym.</t></aside>
          <t>The fields in <tt>PKIResponse</tt> have the following meanings:</t>
          <ul spacing="normal">
            <li>
              <t><tt>controlSequence</tt> is a sequence of controls. The controls
              defined in this document are found in <xref target="Controls"/>. Controls can be
              defined by other parties. Details on the <tt>TaggedAttribute</tt>
              structure are found in <xref target="ControlSyntax"/>.</t>
            </li>
            <li>
              <t><tt>cmsSequence</tt> is a sequence of <xref target="RFC5652"/> message
              objects. See <xref target="ContentInfoObjects"/> for more
              details.</t>
            </li>
            <li>
              <t><tt>otherMsgSequence</tt> is a sequence of arbitrary data
              objects. Data objects placed here are referred to by one or more
              controls. This allows for controls to use large amounts of data
              without the data being embedded in the control. See <xref
              target="OtherMessageBodies"/> for more details.</t>
            </li>
          </ul>

          <t>Processing of <tt>PKIResponse</tt> by a recipient is as follows:</t>
          <ol spacing="normal" type="1"><li>
              <t>All controls should be examined and processed in an appropriate
manner. The appropriate processing is to complete processing at
this time, to ignore the control, or to place the control on a
to-do list for later processing.</t>
            </li>
            <li>
              <t>Additional processing of non-element items includes the saving of
certificates and CRLs present in wrapping layers. This type of
processing is based on the consumer of the element and should not
be relied on by generators.</t>
            </li>
          </ol>
          <t>No processing is required for <tt>cmsSequence</tt> or <tt>otherMsgSequence</tt> members
of the <tt>PKIResponse</tt> if items are present and are not referenced by a
control. In this case, the <tt>cmsSequence</tt> and <tt>otherMsgSequence</tt> members
are to be ignored.</t>
        </section>
      </section>
    </section>
    <section anchor="ApplicationofEncryptiontoaPKIRequestResponse">
      <name>Application of Encryption to a PKI Request/Response</name>
      <t>There are occasions when a PKI Request or Response must be encrypted
in order to prevent disclosure of information in the PKI Request/Response from being accessible to unauthorized entities. This
section describes the means to encrypt Full PKI Requests and
Responses (Simple PKI Requests cannot be encrypted). Data portions
of PKI Requests and Responses that are placed in the <tt>cmsSequence</tt>
field can be encrypted separately.</t>
      <t>Confidentiality is provided by wrapping the PKI Request/Response (a
<tt>SignedData</tt>) in an <tt>EnvelopedData</tt> or an <tt>AuthEnvelopedData</tt>. When using
<tt>EnvelopedData</tt> or <tt>AuthEnvelopedData</tt>, the nested content type is
<tt>id-SignedData</tt>. Note that this is different from S/MIME where there
is a MIME layer placed between the encrypted and signed data for
<tt>EnvelopedData</tt> and between the authenticated encryption and signed data
for <tt>AuthEnvelopedData</tt>. It is recommended that if an <tt>EnvelopedData</tt>
or <tt>AuthEnvelopedData</tt> layer is applied to a PKI Request/Response, a second
signature layer be placed outside of the <tt>EnvelopedData</tt> or <tt>AuthEnvelopedData</tt>
layer. The following figure shows how this nesting would be done:</t>
      <artwork><![CDATA[
  Normal              Option 1                  Option 2
  ------              --------                  --------
   SignedData          EnvelopedData             SignedData
     PKIData             SignedData                EnvelopedData
                           PKIData                   SignedData
                                                       PKIData]]></artwork>

      <aside><t>Note: <tt>PKIResponse</tt> can be substituted for <tt>PKIData</tt> in the above figure.</t></aside>

      <aside><t>Note: <tt>AuthEnvelopedData</tt> can be substituted for <tt>EnvelopedData</tt> in the above figure.</t></aside>

      <t>Options 1 and 2 prevent leakage of sensitive data by encrypting the
Full PKI Request/Response. An RA that receives a PKI Request that it
cannot decrypt <bcp14>MAY</bcp14> reject the PKI Request unless it can process the
PKI Request without knowledge of the contents (i.e., all it does is
amalgamate multiple PKI Requests and forward them to a server).</t>
      <t>After the RA removes the envelope and completes processing, it may
then apply a new <tt>EnvelopedData</tt> or <tt>AuthEnvelopedData</tt> layer to protect
PKI Requests for transmission to the next processing agent. <xref target="RegistrationAuthorities"/>
contains more information about RA processing.</t>
      <t>Full PKI Requests/Responses can be encrypted or transmitted in the
clear. Servers that support <tt>EnvelopedData</tt> or <tt>AuthEnvelopedData</tt> <bcp14>MUST</bcp14> provide support for
all three <tt>EnvelopedData</tt> or <tt>AuthEnvelopedData</tt> options, respectively.</t>
      <t>Alternatively, an authenticated, secure channel could exist between
the parties that require confidentiality. Clients and servers <bcp14>MAY</bcp14>
use such channels instead of the technique described above to provide
secure, private communication of Simple and Full PKI Requests/
Responses.</t>
    </section>
    <section anchor="Controls">
      <name>Controls</name>
      <t>Controls are carried as part of both Full PKI Requests and Responses.
Each control is encoded as a unique OID followed by the data for the
control (see syntax in <xref target="ControlSyntax"/>). The encoding of the data is
based on the control. Processing systems would first detect the OID
(<tt>TaggedAttribute</tt> <tt>attrType</tt>) and process the corresponding control
value (<tt>TaggedAttribute</tt> <tt>attrValues</tt>) prior to processing the message
body.</t>
      <t>The OIDs are all defined under the following arc:</t>
      <sourcecode type="asn.1" markers="false"><![CDATA[
  id-pkix OBJECT IDENTIFIER  ::= { iso(1) identified-organization(3)
    dod(6) internet(1) security(5) mechanisms(5) pkix(7) }

  id-cmc OBJECT IDENTIFIER ::= { id-pkix 7 }]]></sourcecode>

      <t>The following table lists the names, OID, and syntactic structure for
      each of the controls described in this document.</t>

      <table anchor="ctrl-attrs">
        <name>CMC Control Attributes</name>
        <thead>
          <tr>
            <th align="left">Identifier Description</th>
            <th align="left">OID</th>
            <th align="left">ASN.1 Structure</th>
            <th align="left">Section</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left"><tt>id-cmc-statusInfo</tt></td>
            <td align="left"><tt>id-cmc 1</tt></td>
            <td align="left"><tt>CMCStatusInfo</tt></td>
            <td align="left"><xref target="CMCStatusInfoControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-identification</tt></td>
            <td align="left"><tt>id-cmc 2</tt></td>
            <td align="left"><tt>UTF8String</tt></td>
            <td align="left"><xref target="IdentificationControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-identityProof</tt></td>
            <td align="left"><tt>id-cmc 3</tt></td>
            <td align="left"><tt>OCTET STRING</tt></td>
            <td align="left"><xref target="IdentityProofControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-dataReturn</tt></td>
            <td align="left"><tt>id-cmc 4</tt></td>
            <td align="left"><tt>OCTET STRING</tt></td>
            <td align="left"><xref target="DataReturnControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-transactionId</tt></td>
            <td align="left"><tt>id-cmc 5</tt></td>
            <td align="left"><tt>INTEGER</tt></td>
            <td align="left"><xref target="TransactionIdentifierControlandSenderandRecipientNonceControls"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-senderNonce</tt></td>
            <td align="left"><tt>id-cmc 6</tt></td>
            <td align="left"><tt>OCTET STRING</tt></td>
            <td align="left"><xref target="TransactionIdentifierControlandSenderandRecipientNonceControls"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-recipientNonce</tt></td>
            <td align="left"><tt>id-cmc 7</tt></td>
            <td align="left"><tt>OCTET STRING</tt></td>
            <td align="left"><xref target="TransactionIdentifierControlandSenderandRecipientNonceControls"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-addExtensions</tt></td>
            <td align="left"><tt>id-cmc 8</tt></td>
            <td align="left"><tt>AddExtensions</tt></td>
            <td align="left"><xref target="AddExtensionsControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-encryptedPOP</tt></td>
            <td align="left"><tt>id-cmc 9</tt></td>
            <td align="left"><tt>EncryptedPOP</tt></td>
            <td align="left"><xref target="EncryptedandDecryptedPOPControls"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-decryptedPOP</tt></td>
            <td align="left"><tt>id-cmc 10</tt></td>
            <td align="left"><tt>DecryptedPOP</tt></td>
            <td align="left"><xref target="EncryptedandDecryptedPOPControls"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-lraPOPWitness</tt></td>
            <td align="left"><tt>id-cmc 11</tt></td>
            <td align="left"><tt>LraPopWitness</tt></td>
            <td align="left"><xref target="RAPOPWitnessControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-getCert</tt></td>
            <td align="left"><tt>id-cmc 15</tt></td>
            <td align="left"><tt>GetCert</tt></td>
            <td align="left"><xref target="GetCertificateControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-getCRL</tt></td>
            <td align="left"><tt>id-cmc 16</tt></td>
            <td align="left"><tt>GetCRL</tt></td>
            <td align="left"><xref target="GetCRLControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-revokeRequest</tt></td>
            <td align="left"><tt>id-cmc 17</tt></td>
            <td align="left"><tt>RevokeRequest</tt></td>
            <td align="left"><xref target="RevocationRequestControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-regInfo</tt></td>
            <td align="left"><tt>id-cmc 18</tt></td>
            <td align="left"><tt>OCTET STRING</tt></td>
            <td align="left"><xref target="RegistrationandResponseInformationControls"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-responseInfo</tt></td>
            <td align="left"><tt>id-cmc 19</tt></td>
            <td align="left"><tt>OCTET STRING</tt></td>
            <td align="left"><xref target="RegistrationandResponseInformationControls"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-queryPending</tt></td>
            <td align="left"><tt>id-cmc 21</tt></td>
            <td align="left"><tt>OCTET STRING</tt></td>
            <td align="left"><xref target="QueryPendingControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-popLinkRandom</tt></td>
            <td align="left"><tt>id-cmc 22</tt></td>
            <td align="left"><tt>OCTET STRING</tt></td>
            <td align="left"><xref target="POPLinkRandomControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-popLinkWitness</tt></td>
            <td align="left"><tt>id-cmc 23</tt></td>
            <td align="left"><tt>OCTET STRING</tt></td>
            <td align="left"><xref target="POPLinkWitnessControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-confirmCertAcceptance</tt></td>
            <td align="left"><tt>id-cmc 24</tt></td>
            <td align="left"><tt>IssuerAndSerialNumber</tt></td>
            <td align="left"><xref target="ConfirmCertificateAcceptanceControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-statusInfoV2</tt></td>
            <td align="left"><tt>id-cmc 25</tt></td>
            <td align="left"><tt>CMCStatusInfoV2</tt></td>
            <td align="left"><xref target="extCMCStatusInfo"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-trustedAnchors</tt></td>
            <td align="left"><tt>id-cmc 26</tt></td>
            <td align="left"><tt>PublishTrustAnchors</tt></td>
            <td align="left"><xref target="PublishTrustAnchorsControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-authData</tt></td>
            <td align="left"><tt>id-cmc 27</tt></td>
            <td align="left"><tt>BodyPartID</tt></td>
            <td align="left"><xref target="AuthenticatedDataControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-batchRequests</tt></td>
            <td align="left"><tt>id-cmc 28</tt></td>
            <td align="left"><tt>BodyPartList</tt></td>
            <td align="left"><xref target="BatchRequestandResponseControls"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-batchResponses</tt></td>
            <td align="left"><tt>id-cmc 29</tt></td>
            <td align="left"><tt>BodyPartList</tt></td>
            <td align="left"><xref target="BatchRequestandResponseControls"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-publishCert</tt></td>
            <td align="left"><tt>id-cmc 30</tt></td>
            <td align="left"><tt>CMCPublicationInfo</tt></td>
            <td align="left"><xref target="PublicationInformationControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-modCertTemplate</tt></td>
            <td align="left"><tt>id-cmc 31</tt></td>
            <td align="left"><tt>ModCertTemplate</tt></td>
            <td align="left"><xref target="ModifyCertificationRequestControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-controlProcessed</tt></td>
            <td align="left"><tt>id-cmc 32</tt></td>
            <td align="left"><tt>ControlList</tt></td>
            <td align="left"><xref target="ControlProcessedControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-popLinkWitnessV2</tt></td>
            <td align="left"><tt>id-cmc 33</tt></td>
            <td align="left"><tt>PopLinkWitnessV2</tt></td>
            <td align="left"><xref target="POPLinkWitnessVersion2Controls"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-identityProofV2</tt></td>
            <td align="left"><tt>id-cmc 34</tt></td>
            <td align="left"><tt>IdentityProofV2</tt></td>
            <td align="left"><xref target="IdentityProofVersion2Control"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-raIdentityWitness</tt></td>
            <td align="left"><tt>id-cmc 35</tt></td>
            <td align="left"><tt>BodyPartPath</tt></td>
            <td align="left"><xref target="RAIdentityProofWitnessControl"/></td>
          </tr>
          <tr>
            <td align="left"><tt>id-cmc-responseBody</tt></td>
            <td align="left"><tt>id-cmc 37</tt></td>
            <td align="left"><tt>BodyPartPath</tt></td>
            <td align="left"><xref target="ResponseBodyControl"/></td>
          </tr>
        </tbody>
      </table>
      <section anchor="xtCMCStatusInfo">
        <name>CMC Status Info Controls</name>
        <t>The CMC Status Info controls return information about the status of a
client/server request/response. Two controls are described in this
section. The Extended CMC Status Info control is the preferred
control; the CMC Status Info control is included for backward
compatibility with <xref target="RFC2797"/>.</t>
        <t>Servers <bcp14>MAY</bcp14> emit multiple CMC Status Info controls referring to a
single body part. Clients <bcp14>MUST</bcp14> be able to deal with multiple CMC
Status Info controls in a PKI Response. Servers <bcp14>MUST</bcp14> use the
Extended CMC Status Info control, but they <bcp14>MAY</bcp14> additionally use the CMC
Status Info control. Clients <bcp14>MUST</bcp14> be able to process the Extended
CMC Status Info control.</t>
        <section anchor="extCMCStatusInfo">
          <name>Extended CMC Status Info Control</name>
          <t>The Extended CMC Status Info control is identified by the OID:</t>
          <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-statusInfoV2 OBJECT IDENTIFIER ::= { id-cmc 25 }]]></sourcecode>

          <t>The Extended CMC Status Info control has the ASN.1 definition:</t>

          <sourcecode type="asn.1" markers="false"><![CDATA[
   CMCStatusInfoV2 ::= SEQUENCE {
      cMCStatus             CMCStatus,
      bodyList              SEQUENCE SIZE (1..MAX) OF
                                     BodyPartReference,
      statusString          UTF8String OPTIONAL,
      otherInfo             CHOICE {
          failInfo              CMCFailInfo,
          pendInfo              PendInfo,
          extendedFailInfo      [1] SEQUENCE {
             failInfoOID           TYPE-IDENTIFIER.&id
                                       ({ExtendedFailures}),
             failInfoValue         TYPE-IDENTIFIER.&Type
                                       ({ExtendedFailures}
                                           {@.failInfoOID})
          }
      } OPTIONAL
   }

  PendInfo ::= SEQUENCE {
      pendToken        OCTET STRING,
      pendTime         GeneralizedTime
  }

  BodyPartReference ::= CHOICE {
    bodyPartID           BodyPartID,
    bodyPartPath         BodyPartPath
   }]]></sourcecode>

          <t>The fields in <tt>CMCStatusInfoV2</tt> have the following meanings:</t>
          <ul spacing="normal">
            <li>
              <t><tt>cMCStatus</tt> contains the returned status value. Details are in
              <xref target="CMCStatusValues"/>.</t>
            </li>
            <li>
              <t><tt>bodyList</tt> identifies the controls or other elements to which
              the status value applies. If an error is returned for a Simple
              PKI Request, this field is the <tt>bodyPartID</tt> choice of
              <tt>BodyPartReference</tt> with the single integer of value 1.</t>
            </li>
            <li>
              <t><tt>statusString</tt> contains additional description
              information. This string is human readable.</t>
            </li>
            <li>
              <t><tt>otherInfo</tt> contains additional information that expands on the
              CMC status code returned in the <tt>cMCStatus</tt> field.</t>
            </li>
          </ul>

          <t>The fields in <tt>otherStatusInfo</tt> have the following meanings:</t>
          <ul spacing="normal">
            <li>
              <t><tt>failInfo</tt> is described in <xref target="CMCFailInfo"/>. It
              provides an error code that details what failure occurred. This
              choice is present only if <tt>cMCStatus</tt> contains the value
              failed.</t>
            </li>
            <li>
              <t><tt>pendInfo</tt> contains information about when and how the client
              should request the result of this request. It is present when
              the <tt>cMCStatus</tt> is either <tt>pending</tt> or <tt>partial</tt>. <tt>pendInfo</tt> uses the
              structure <tt>PendInfo</tt>, which has the fields:</t>
              <ul spacing="normal">
                <li>
                  <t><tt>pendToken</tt> is the token used in the Query Pending control
                  (<xref target="QueryPendingControl"/>).</t>
                </li>
                <li>
                  <t><tt>pendTime</tt> contains the suggested time the server wants to
                  be queried about the status of the certification
                  request.</t>
                </li>
              </ul>
            </li>
            <li>
              <t><tt>extendedFailInfo</tt> includes application-dependent detailed
              error information.  This choice is present only if <tt>cMCStatus</tt>
              contains the <tt>value</tt> failed.  Caution should be used when defining
              new values as they may not be correctly recognized by all
              clients and servers.  The <tt>CMCFailInfo</tt> value of <tt>internalCAError</tt>
              may be assumed if the extended error is not recognized.  This
              field uses the type <tt>ExtendedFailInfo</tt>.  <tt>ExtendedFailInfo</tt> has the
              fields:</t>
              <ul spacing="normal">
                <li>
                  <t><tt>failInfoOID</tt> contains an OID that is associated with a set
                  of extended error values.</t>
                </li>
                <li>
                  <t><tt>failInfoValue</tt> contains an extended error code from the
                  defined set of extended error codes.</t>
                </li>
              </ul>
            </li>
          </ul>

          <t>If the <tt>cMCStatus</tt> field is <tt>success</tt>, the Extended CMC Status Info
control <bcp14>MAY</bcp14> be omitted unless it is the only item in the response.</t>
        </section>
        <section anchor="CMCStatusInfoControl">
          <name>CMC Status Info Control</name>
          <t>The CMC Status Info control is identified by the OID:</t>
          <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-statusInfo OBJECT IDENTIFIER ::= { id-cmc 1 }]]></sourcecode>

          <t>The CMC Status Info control has the ASN.1 definition:</t>

          <sourcecode type="asn.1" markers="false"><![CDATA[
  CMCStatusInfo ::= SEQUENCE {
    cMCStatus           CMCStatus,
    bodyList            BodyPartList,
    statusString        UTF8String OPTIONAL,
    otherInfo           CHOICE {
      failInfo            CMCFailInfo,
      pendInfo            PendInfo } OPTIONAL
    }]]></sourcecode>

          <t>The fields in <tt>CMCStatusInfo</tt> have the following meanings:</t>
          <ul spacing="normal">
            <li>
              <t><tt>cMCStatus</tt> contains the returned status value. Details are in
              <xref target="CMCStatusValues"/>.</t>
            </li>
            <li>
              <t><tt>bodyList</tt> contains the list of controls or other elements to
              which the status value applies. If an error is being returned
              for a Simple PKI Request, this field contains a single integer
              of value 1.</t>
            </li>
            <li>
              <t><tt>statusString</tt> contains additional description
              information. This string is human readable.</t>
            </li>
            <li>
              <t><tt>otherInfo</tt> provides additional information that expands on the
              CMC status code returned in the <tt>cMCStatus</tt> field.</t>
              <ul spacing="normal">
                <li>
                  <t><tt>failInfo</tt> is described in <xref target="CMCFailInfo"/>. It
                  provides an error code that details what failure
                  occurred. This choice is present only if <tt>cMCStatus</tt> is
                  failed.</t>
                </li>
                <li>
                  <t><tt>pendInfo</tt> uses the <tt>PendInfo</tt> ASN.1 structure in <xref
                  target="extCMCStatusInfo"/>. It contains information about
                  when and how the client should request results of this
                  request. The <tt>pendInfo</tt> field <bcp14>MUST</bcp14> be populated
                  for a <tt>cMCStatus</tt> value of pending or partial. Further details
                  can be found in Sections <xref target="extCMCStatusInfo" format="counter"/>  and <xref
                  target="QueryPendingControl" format="counter"/>.</t>
                </li>
              </ul>
            </li>
          </ul>

          <t>If the <tt>cMCStatus</tt> field is <tt>success</tt>, the CMC Status Info control <bcp14>MAY</bcp14> be
omitted unless it is the only item in the response. If no status
exists for a Simple or Full PKI Request, then the value of <tt>success</tt> is
assumed.</t>
        </section>
        <section anchor="CMCStatusValues">
          <name>CMCStatus Values</name>
          <t><tt>CMCStatus</tt> is a field in the Extended CMC Status Info and CMC Status
Info controls. This field contains a code representing the success
or failure of a specific operation. <tt>CMCStatus</tt> has the ASN.1
structure:</t>
          <sourcecode type="asn.1" markers="false"><![CDATA[
  CMCStatus ::= INTEGER {
    success                (0),
    -- reserved            (1),
    failed                 (2),
    pending                (3),
    noSupport              (4),
    confirmRequired        (5),
    popRequired            (6),
    partial                (7)
    }]]></sourcecode>

          <t>The values of <tt>CMCStatus</tt> have the following meanings:</t>
          <ul spacing="normal">
            <li>
              <t><tt>success</tt> indicates the request was granted or the action was
              completed.</t>
            </li>
            <li>
              <t><tt>failed</tt> indicates the request was not granted or the action
              was not completed. More information is included elsewhere in the
              response.</t>
            </li>
            <li>
              <t><tt>pending</tt> indicates the PKI Request has yet to be
              processed. The requester is responsible to poll back on this
              Full PKI Request.  <tt>pending</tt> may only be returned for
              certification request operations.</t>
            </li>
            <li>
              <t><tt>noSupport</tt> indicates the requested operation is not supported.</t>
            </li>
            <li>
              <t><tt>confirmRequired</tt> indicates a Confirm Certificate Acceptance
              control (<xref target="ConfirmCertificateAcceptanceControl"/>)
              must be returned before the certificate can be used.</t>
            </li>
            <li>
              <t><tt>popRequired</tt> indicates a direct POP operation is required
              (<xref target="POPLinkRandomControl"/>).</t>
            </li>
            <li>
              <t><tt>partial</tt> indicates a partial PKI Response is returned. The
              requester is responsible to poll back for the unfulfilled
              portions of the Full PKI Request.</t>
            </li>
          </ul>

        </section>
        <section anchor="CMCFailInfo">
          <name><tt>CMCFailInfo</tt></name>
          <t><tt>CMCFailInfo</tt> is a field in the Extended CMC Status Info and CMC Status
Info controls. <tt>CMCFailInfo</tt> conveys more detailed information
relevant to the interpretation of a failure condition. The
<tt>CMCFailInfo</tt> has the following ASN.1 structure:</t>
          <sourcecode type="asn.1" markers="false"><![CDATA[
  CMCFailInfo ::= INTEGER {
    badAlg            (0),
    badMessageCheck   (1),
    badRequest        (2),
    badTime           (3),
    badCertId         (4),
    unsupportedExt    (5),
    mustArchiveKeys   (6),
    badIdentity       (7),
    popRequired       (8),
    popFailed         (9),
    noKeyReuse        (10),
    internalCAError   (11),
    tryLater          (12),
    authDataFail      (13)
    }]]></sourcecode>

          <t>The values of <tt>CMCFailInfo</tt> have the following meanings:</t>
          <ul spacing="normal">
            <li>
              <t><tt>badAlg</tt> indicates unrecognized or unsupported algorithm.</t>
            </li>
            <li>
              <t><tt>badMessageCheck</tt> indicates integrity check failed.</t>
            </li>
            <li>
              <t><tt>badRequest</tt> indicates transaction was not permitted or supported.</t>
            </li>
            <li>
              <t><tt>badTime</tt> indicates message time field was not sufficiently
              close to the system time.</t>
            </li>
            <li>
              <t><tt>badCertId</tt> indicates no certificate could be identified
              matching the provided criteria.</t>
            </li>
            <li>
              <t><tt>unsupportedExt</tt> indicates a requested X.509 extension is not
              supported by the recipient CA.</t>
            </li>
            <li>
              <t><tt>mustArchiveKeys</tt> indicates private key material must be supplied.</t>
            </li>
            <li>
              <t><tt>badIdentity</tt> indicates identification control failed to verify.</t>
            </li>
            <li>
              <t><tt>popRequired</tt> indicates server requires a POP  before issuing
   certificate.</t>
            </li>
            <li>
              <t><tt>popFailed</tt> indicates POP processing failed.</t>
            </li>
            <li>
              <t><tt>noKeyReuse</tt> indicates server policy does not allow key reuse.</t>
            </li>
            <li>
              <t><tt>internalCAError</tt> indicates that the CA had an unknown internal
              failure.</t>
            </li>
            <li>
              <t><tt>tryLater</tt> indicates that the server is not accepting requests
              at this time and the client should try at a later time.</t>
            </li>
            <li>
              <t><tt>authDataFail</tt> indicates failure occurred during processing of
              authenticated data.</t>
            </li>
          </ul>

          <t>If additional failure reasons are needed, they <bcp14>SHOULD</bcp14> use the
<tt>ExtendedFailureInfo</tt> item in the Extended CMC Status Info control.
However, for closed environments, they can be defined using this type.
Such codes <bcp14>MUST</bcp14> be in the range from 1000 to 1999.</t>
        </section>
      </section>
      <section anchor="IdentificationandIdentityProofControls">
        <name>Identification and Identity Proof Controls</name>
        <t>Some CAs and RAs require that a Proof-of-Identity be included in a
certification request. Many different ways of doing this exist with
different degrees of security and reliability. Most are familiar
with a bank's request to provide your mother's maiden name as a form
of Proof-of-Identity. The reasoning behind requiring a Proof-of-Identity can be found in <xref section="C" target="RFC4211"/>.</t>
        <t>CMC provides a method to prove the client's identity based on a
client/server shared-secret. If clients support the Full PKI
Request, clients <bcp14>MUST</bcp14> implement this method of Proof-of-Identity
(<xref target="IdentityProofVersion2Control"/>). Servers <bcp14>MUST</bcp14> provide this method, but they <bcp14>MAY</bcp14>
additionally support bilateral methods of similar strength.</t>
        <t>This document also provides an Identification control
(<xref target="IdentificationControl"/>). This control is a simple method to allow a client
to state who they are to the server. Generally, a shared-secret AND
an identifier of that shared-secret are passed from the server to the
client. The identifier is placed in the Identification control, and
the shared-secret is used to compute the Identity Proof or Identity Proof v2 control.</t>
        <section anchor="IdentityProofVersion2Control">
          <name>Identity Proof Version 2 Control</name>
          <t>The Identity Proof Version 2 control is identified by the OID:</t>
          <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-identityProofV2 OBJECT IDENTIFIER ::= { id-cmc 34 }]]></sourcecode>

          <t>The Identity Proof Version 2 control has the ASN.1 definition:</t>

          <sourcecode type="asn.1" markers="false"><![CDATA[
  IdentityProofV2 ::= SEQUENCE {
    proofAlgID      AlgorithmIdentifier{DIGEST-ALGORITHM,
                        {WitnessAlgs}},
    macAlgID         AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}},
    witness          OCTET STRING
    }]]></sourcecode>

          <t>The fields of <tt>IdentityProofV2</tt> have the following meanings:</t>
          <ul spacing="normal">
            <li>
              <t><tt>proofAlgID</tt> is the identifier and parameters for the hash
              algorithm used to convert the shared-secret into a key for the
              MAC algorithm.</t>
            </li>
            <li>
              <t><tt>macAlgID</tt> is the identifier and the parameters for the message
              authentication code algorithm used to compute the value of the
              <tt>witness</tt> field.</t>
            </li>
            <li>
              <t><tt>witness</tt> is the Proof-of-Identity.</t>
            </li>
          </ul>

          <t>The required method starts with an out-of-band transfer of a token
(the shared-secret). The shared-secret should be generated in a
random manner. The distribution of this token is beyond the scope of
this document. Then, the client provides Proof-of-Identity with this token
as follows:</t>
          <ol spacing="normal" type="1"><li>
              <t>The <tt>PKIData</tt> <tt>reqSequence</tt> field (encoded exactly as it appears in
the Full PKI Request including the sequence type and length) is
the value to be validated.</t>
            </li>
            <li>
              <t>A hash of the shared-secret as a UTF-8 string is computed using
<tt>proofAlgID</tt>.</t>
            </li>
            <li>
              <t>A MAC is then computed using the value produced in Step 1 as the
message and the value from Step 2 as the key.</t>
            </li>
            <li>
              <t>The result from Step 3 is then encoded as the witness value in
the Identity Proof Version 2 control.</t>
            </li>
          </ol>
          <t>When the server verifies the Identity Proof Version 2 control, it
computes the MAC value in the same way and compares it to the witness
value contained in the PKI Request.</t>
          <t>If a server fails the verification of an Identity Proof Version 2
control, the <tt>CMCFailInfo</tt> value <bcp14>MUST</bcp14> be present in the Full PKI
Response and <bcp14>MUST</bcp14> have a value of <tt>badIdentity</tt>.</t>
          <t>Reuse of the shared-secret on certification request retries allows
the client and server to maintain the same view of acceptable
Proof-of-Identity values. However, reuse of the shared-secret can
potentially open the door for some types of attacks.</t>
          <t>Implementations <bcp14>MUST</bcp14> be able to support tokens that are at least 16 characters
long. Guidance on the amount of entropy actually obtained from a
given length token based on character sets can be found in Appendix A
of <xref target="PASSWORD"/>.</t>
        </section>
        <section anchor="IdentityProofControl">
          <name>Identity Proof Control</name>
          <t>The Identity Proof control is identified by the OID:</t>
          <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-identityProof OBJECT IDENTIFIER ::= { id-cmc 3 }]]></sourcecode>

          <t>The Identity Proof control has the ASN.1 definition:</t>

          <sourcecode type="asn.1" markers="false"><![CDATA[
  IdentityProof ::= OCTET STRING]]></sourcecode>

          <t>This control is processed in the same way as the Identity Proof
Version 2 control. In this case, the hash algorithm is fixed to
SHA-1 and the MAC algorithm is fixed to HMAC-SHA1.</t>
        </section>
        <section anchor="IdentificationControl">
          <name>Identification Control</name>
          <t>Optionally, servers <bcp14>MAY</bcp14> require the inclusion of the unprotected
Identification control with an Identification Proof control. The
Identification control is intended to contain a text string that
assists the server in locating the shared-secret needed to validate
the contents of the Identity Proof control. If the Identification
control is included in the Full PKI Request, the derivation of the
key in Step 2 (from <xref target="IdentityProofVersion2Control"/>) is altered so that the hash of the
concatenation of the shared-secret and the UTF-8 identity value
(without the type and length bytes) are hashed rather than just the
shared-secret.</t>
          <t>The Identification control is identified by the OID:</t>
          <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-identification OBJECT IDENTIFIER ::= { id-cmc 2 }]]></sourcecode>

          <t>The Identification control has the ASN.1 definition:</t>

          <sourcecode type="asn.1" markers="false"><![CDATA[
  Identification ::= UTF8String]]></sourcecode>

        </section>
        <section anchor="HardwareShared-SecretTokenGeneration">
          <name>Hardware Shared-Secret Token Generation</name>
          <t>The shared-secret between the EE and the server is sometimes computed
using a hardware device that generates a series of tokens. The EE
can therefore prove its identity by transferring this token in plain
text along with a name string. The above protocol can be used with a
hardware shared-secret token generation device by the following
modifications:</t>
          <ol spacing="normal" type="1"><li>
              <t>The Identification control <bcp14>MUST</bcp14> be included and <bcp14>MUST</bcp14> contain the
hardware-generated token.</t>
            </li>
            <li>
              <t>The shared-secret value used above is the same hardware-generated
token.</t>
            </li>
            <li>
              <t>All certification requests <bcp14>MUST</bcp14> have a subject name, and the
subject name <bcp14>MUST</bcp14> contain the fields required to identify the
holder of the hardware token device.</t>
            </li>
            <li>
              <t>The entire certification request <bcp14>MUST</bcp14> be shrouded in some fashion
to prevent eavesdropping. Although the token is time critical,
an active eavesdropper cannot be permitted to extract the token
and submit a different certification request with the same token
value.</t>
            </li>
          </ol>
        </section>
      </section>
      <section anchor="LinkingIdentityandPOPInfomation">
        <name>Linking Identity and POP Information</name>
        <t>In a CMC Full PKI Request, Proof-of-Identity information about the
client is carried in the certificate associated with the signature of
the <tt>SignedData</tt> containing the certification requests, one of the two
Identity Proof controls, or the MAC computed for the <tt>AuthenticatedData</tt>
containing the certification requests.  POP
information for key pairs, however, is carried separately for each
PKCS #10 or CRMF.  (For keys capable of
generating a digital signature, the POP is provided by the signature
on the PKCS #10 or CRMF.  For encryption-only keys, the
controls described in <xref target="EncryptedandDecryptedPOPControls"/> are used.)  In order to prevent
substitution-style attacks, the protocol must guarantee that the same
entity supplied both the POP and Proof-of-Identity information.</t>
        <t>We describe three mechanisms for linking identity and POP
information: witness values cryptographically derived from a shared-secret (<xref target="CryptographicLinkage"/>), shared-secret/subject name matching (<xref target="Shared-Secret_SubjectDNLinking"/>), and subject name matching to an existing certificate (<xref target="ExistingCertificateLinking"/>).  Clients and servers <bcp14>MUST</bcp14> support the witness value and the
certificate-linking techniques.  Clients and servers <bcp14>MAY</bcp14> support
shared-secret/name matching or <bcp14>MAY</bcp14> support other bilateral techniques
of similar strength.  The idea behind the first two mechanisms is to
force the client to sign some data into each certification request
that can be directly associated with the shared-secret; this will
defeat attempts to include certification requests from different
entities in a single Full PKI Request.</t>
        <section anchor="CryptographicLinkage">
          <name>Cryptographic Linkage</name>
          <t>The first technique that links identity and POP information forces
the client to include a piece of information cryptographically
derived from the shared-secret as a signed extension within each
certification request (PKCS #10 or CRMF).</t>
          <section anchor="POPLinkWitnessVersion2Controls">
            <name>POP Link Witness Version 2 Controls</name>
            <t>The POP Link Witness Version 2 control is identified by the OID:</t>


            <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 33 }]]></sourcecode>

            <t>The POP Link Witness Version 2 control has the ASN.1 definition:</t>

            <sourcecode type="asn.1" markers="false"><![CDATA[
  PopLinkWitnessV2 ::= SEQUENCE {
    keyGenAlgorithm  AlgorithmIdentifier{KEY-DERIVATION,
                         {KeyDevAlgs}},
    macAlgorithm     AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}},
    witness          OCTET STRING
    }]]></sourcecode>
            <t>The fields of <tt>PopLinkWitnessV2</tt> have the following meanings:</t>
            <ul spacing="normal">
              <li>
                <t><tt>keyGenAlgorithm</tt> contains the algorithm used to generate the
                key for the MAC algorithm. This will generally be a hash
                algorithm, but it could be a more complex algorithm.</t>
              </li>
              <li>
                <t><tt>macAlgorithm</tt> contains the algorithm used to create the
                witness value.</t>
              </li>
              <li>
                <t><tt>witness</tt> contains the computed witness value.</t>
              </li>
            </ul>

            <t>This technique is useful if <tt>NULL</tt> subject Distinguished Names (DNs) are used (because, for
example, the server can generate the subject DN for the certificate
based only on the shared-secret). Processing begins when the client
receives the shared-secret out-of-band from the server. The client
then computes the following values:</t>
            <ol spacing="normal" type="1"><li>
                <t>The client generates a random byte-string, R, which <bcp14>SHOULD</bcp14> be at
least 512 bits in length.</t>
              </li>
              <li>
                <t>The key is computed from the shared-secret using the algorithm in
<tt>keyGenAlgorithm</tt>.</t>
              </li>
              <li>
                <t>A MAC is then computed over the random value produced in Step 1,
using the key computed in Step 2.</t>
              </li>
              <li>
                <t>The random value produced in Step 1 is encoded as the value of a
POP Link Random control. This control <bcp14>MUST</bcp14> be included in the
Full PKI Request.</t>
              </li>
              <li>
                <t>The MAC value produced in Step 3 is placed in either the POP Link
Witness control or the <tt>witness</tt> field of the POP Link Witness V2
control.  </t>
                <ul spacing="normal">
                  <li>
                    <t>For CRMF, the POP Link Witness / POP Link Witness V2 control is
included in the controls field of the <tt>CertRequest</tt> structure.</t>
                  </li>
                  <li>
                    <t>For PKCS #10, the POP Link Witness / POP Link Witness V2 control
is included in the <tt>attributes</tt> field of the
<tt>CertificationRequestInfo</tt> structure.</t>
                  </li>
                </ul>
              </li>
            </ol>
            <t>Upon receipt, servers <bcp14>MUST</bcp14> verify that each certification request
contains a copy of the POP Link Witness / POP Link Witness V2 control
and that its value was derived using the above method from the
shared-secret and the random string included in the POP Link Random
control.</t>
            <t>The Identification control (<xref target="IdentificationControl"/>) or the subject DN of a
certification request can be used to help identify which shared-secret was used.</t>
          </section>
          <section anchor="POPLinkWitnessControl">
            <name>POP Link Witness Control</name>
            <t>The POP Link Witness control is identified by the OID:</t>
            <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-popLinkWitness OBJECT IDENTIFIER ::= { id-cmc 23 }]]></sourcecode>

            <t>The POP Link Witness control has the ASN.1 definition:</t>

            <sourcecode type="asn.1" markers="false"><![CDATA[
  PopLinkWitness ::= OCTET STRING]]></sourcecode>

            <t>For this control, SHA-1 is used as the key generation algorithm.
HMAC-SHA1 is used as the MAC algorithm.</t>
          </section>
          <section anchor="POPLinkRandomControl">
            <name>POP Link Random Control</name>
            <t>The POP Link Random control is identified by the OID:</t>
            <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-popLinkRandom OBJECT IDENTIFIER ::= { id-cmc 22 }]]></sourcecode>

            <t>The POP Link Random control has the ASN.1 definition:</t>

            <sourcecode type="asn.1" markers="false"><![CDATA[
  PopLinkRandom ::= OCTET STRING]]></sourcecode>
          </section>
        </section>
        <section anchor="Shared-Secret_SubjectDNLinking">
          <name>Shared-Secret/Subject DN Linking</name>
          <t>The second technique to link identity and POP information is to link
a particular subject DN to the shared-secrets that are distributed out-of-band and to require that clients
using the shared-secret to prove identity include that exact subject
DN in every certification request. It is expected that many client-server connections that use shared-secret-based Proof-of-Identity
	  will use this mechanism.</t>
	  <aside><t>Note: It is common to include the subject DN
information from the certification request.</t></aside>
          <t>When the shared-secret is generated and transferred out-of-band to
initiate the registration process (<xref target="IdentificationandIdentityProofControls"/>), a particular subject
DN is also associated with the shared-secret and communicated to the
client. (The subject DN generated <bcp14>MUST</bcp14> be unique per entity in
accordance with the CA policy; a <tt>NULL</tt> subject DN cannot be used. A
common practice could be to place the identification value as part of
the subject DN.) When the client generates the Full PKI Request, it
<bcp14>MUST</bcp14> use these two pieces of information as follows:</t>
          <ol spacing="normal" type="1"><li>
              <t>The client <bcp14>MUST</bcp14> include the specific subject DN that it received
along with the shared-secret as the subject name in every
certification request (PKCS #10 and/or CRMF) in the Full PKI
Request. The subject names in the certification requests <bcp14>MUST
NOT</bcp14> be <tt>NULL</tt>.</t>
            </li>
            <li>
              <t>The client <bcp14>MUST</bcp14> include an Identity Proof control (<xref target="IdentityProofControl"/>)
or Identity Proof Version 2 control (<xref target="IdentityProofVersion2Control"/>), derived from
the shared-secret, in the Full PKI Request.</t>
            </li>
          </ol>
          <t>The server receiving this message <bcp14>MUST</bcp14> (a) validate the Identity
Proof control and then (b) check that the subject DN included in
each certification request matches that associated with the shared-secret. If either of these checks fails, the certification request
<bcp14>MUST</bcp14> be rejected.</t>
        </section>
        <section anchor="ExistingCertificateLinking">
          <name>Existing Certificate Linking</name>
          <t>Linking between the POP and an identity is easy when an existing
certificate is used.  The client copies all of the naming information
from the existing certificate (<tt>subject</tt> field and Subject Alternative
Name extension) into the new certification request.  The POP on the new public
key is then performed by using the new key to sign the identity
information (linking the POP to a specific identity).  The identity
information is then tied to the POP information by signing the entire
enrollment request with the private key of the existing certificate.</t>
          <t>Existing certificate linking can be used in the following
circumstances:</t>
          <ul spacing="normal">
            <li>
              <t>When replacing a certificate by doing a renewal or rekey
   certification request.</t>
            </li>
            <li>
              <t>Using an existing certificate to get a new certificate.  An
  example of this would be to get a key establishment certificate
  after having gotten a signature certificate.</t>
            </li>
            <li>
              <t>Using a third-party certificate to get a new certificate from a
  CA.  An example of this would be using a certificate and key pair
  distributed with a device to prove an identity.  This requires
  that the CA have an out-of-band channel to map the identity in the
  device certificate to the new EE identity.</t>
            </li>
          </ul>

        </section>
      </section>
      <section anchor="DataReturnControl">
        <name>Data Return Control</name>
        <t>The Data Return control allows clients to send arbitrary data
(usually some type of internal state information) to the server and
to have the data returned as part of the Full PKI Response. Data
placed in a Data Return control is considered to be opaque to the
server. The same control is used for both Full PKI Requests and
Responses. If the Data Return control appears in a Full PKI Request,
the server <bcp14>MUST</bcp14> return it as part of the PKI Response.</t>
        <t>In the event that the information in the Data Return control needs to
be confidential, it is expected that the client would apply some type
of encryption to the contained data, but the details of this are
outside the scope of this specification.</t>
        <t>The Data Return control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-dataReturn OBJECT IDENTIFIER ::= { id-cmc 4 }]]></sourcecode>

        <t>The Data Return control has the ASN.1 definition:</t>

        <sourcecode type="asn.1" markers="false"><![CDATA[
  DataReturn ::= OCTET STRING]]></sourcecode>

        <t>A client could use this control to place an identifier marking the
exact source of the private key material. This might be the
identifier of a hardware device containing the private key.</t>
      </section>
      <section anchor="RACertificateModificationControls">
        <name>RA Certificate Modification Controls</name>
        <t>These controls exist for RAs to be able to modify the contents of a
certification request. Modifications might be necessary for various
reasons. These include addition of certificate extensions or
modification of subject and/or subject alternative names.</t>
        <t>Two controls exist for this purpose. The first control, Modify
Certification Request (<xref target="ModifyCertificationRequestControl"/>), allows the RA to replace or
remove any field in the certificate. The second control, Add
Extensions (<xref target="AddExtensionsControl"/>), only allows for the addition of
extensions.</t>
        <section anchor="ModifyCertificationRequestControl">
          <name>Modify Certification Request Control</name>
          <t>The Modify Certification Request control is used by RAs to change
fields in a requested certificate.</t>
          <t>The Modify Certification Request control is identified by the OID:</t>
          <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-modCertTemplate OBJECT IDENTIFIER ::= { id-cmc 31 }]]></sourcecode>

          <t>The Modify Certification Request has the ASN.1 definition:</t>

          <sourcecode type="asn.1" markers="false"><![CDATA[
  ModCertTemplate ::= SEQUENCE {
    pkiDataReference             BodyPartPath,
    certReferences               BodyPartList,
    replace                      BOOLEAN DEFAULT TRUE,
    certTemplate                 CertTemplate
    }]]></sourcecode>

          <t>The fields in <tt>ModCertTemplate</tt> have the following meaning:</t>
          <ul spacing="normal">
            <li>
              <t><tt>pkiDataReference</tt> is the path to the PKI Request containing
              the certification request(s) to be modified.</t>
            </li>
            <li>
              <t><tt>certReferences</tt> refers to one or more certification requests
              in the PKI Request referenced by <tt>pkiDataReference</tt> to be
              modified. Each <tt>BodyPartID</tt> of the <tt>certReferences</tt> sequence
              <bcp14>MUST</bcp14> be equal to either the <tt>bodyPartID</tt> of a
              <tt>TaggedCertificationRequest</tt> (PKCS #10) or the <tt>certReqId</tt> of the
              <tt>CertRequest</tt> within a <tt>CertReqMsg</tt> (CRMF). By definition, the
              certificate extensions included in the <tt>certTemplate</tt> field are
              applied to every certification request referenced in the
              <tt>certReferences</tt> sequence. If a request corresponding to
              <tt>bodyPartID</tt> cannot be found, the <tt>CMCFailInfo</tt> with a value of
              <tt>badRequest</tt> is returned that references this control.</t>
            </li>
            <li>
              <t><tt>replace</tt> specifies if the target certification request is to
              be modified by replacing or deleting fields. If the value is
              <tt>TRUE</tt>, the data in this control replaces the data in the target
              certification request. If the value is <tt>FALSE</tt>, the data in the
              target certification request is deleted. The action is slightly
              different for the extensions field of <tt>certTemplate</tt>; each
              extension is treated individually rather than as a single
              unit.</t>
            </li>
            <li>
              <t><tt>certTemplate</tt> is a certificate template object <xref
              target="RFC4211"/><xref target="RFC5912"/>. If a field is present and replace is <tt>TRUE</tt>,
              it replaces that field in the certification request. If the
              field is present and replace is <tt>FALSE</tt>, the field in the
              certification request is removed. If the field is absent, no
              action is performed. Each extension is treated as a single
              field.</t>
            </li>
          </ul>

          <t>Servers <bcp14>MUST</bcp14> be able to process all extensions defined, but not
prohibited, in <xref target="RFC5280"/>. Servers are not required to be able to
process every X.509v3 extension transmitted using this protocol, nor
are they required to be able to process other, private extensions.
Servers are not required to put all RA-requested extensions into a
certificate. Servers are permitted to modify RA-requested
extensions. Servers <bcp14>MUST NOT</bcp14> alter an extension so as to reverse the
meaning of a client-requested extension. If a certification request
is denied due to the inability to handle a requested extension and a
Full PKI Response is returned, the server <bcp14>MUST</bcp14> return a <tt>CMCFailInfo</tt>
value with the value of <tt>unsupportedExt</tt>.</t>
          <t>If a certification request is the target of multiple Modify
Certification Request controls, the behavior is:</t>
          <ul spacing="normal">
            <li>
              <t>If control A exists in a layer that contains the layer of control
B, control A <bcp14>MUST</bcp14> override control B. In other words, controls
should be applied from the innermost layer to the outermost layer.</t>
            </li>
            <li>
              <t>If control A and control B are in the same <tt>PKIData</tt> (i.e., the same
wrapping layer), the order of application is non-determinate.</t>
            </li>
          </ul>
          <t>The same order of application is used if a certification request is
the target of both a Modify Certification Request control and an Add
Extensions control.</t>
        </section>
        <section anchor="AddExtensionsControl">
          <name>Add Extensions Control</name>
          <t>The Add Extensions control has been deprecated in favor of the Modify
Certification Request control. It was replaced so that fields in the
certification request other than extensions could be modified.</t>
          <t>The Add Extensions control is used by RAs to specify additional
extensions that are to be included in certificates.</t>
          <t>The Add Extensions control is identified by the OID:</t>
          <sourcecode type="asn.1" markers="false"><![CDATA[
id-cmc-addExtensions OBJECT IDENTIFIER ::= { id-cmc 8 }]]></sourcecode>

          <t>The Add Extensions control has the ASN.1 definition:</t>

          <sourcecode type="asn.1" markers="false"><![CDATA[
  AddExtensions ::= SEQUENCE {
    pkiDataReference    BodyPartID,
    certReferences      SEQUENCE OF BodyPartID,
    extensions          SEQUENCE OF Extension{{CertExtensions}}
    }]]></sourcecode>

          <t>The fields in <tt>AddExtensions</tt> have the following meaning:</t>
          <ul spacing="normal">
            <li>
              <t><tt>pkiDataReference</tt> contains the body part identity of the
              embedded certification request.</t>
            </li>
            <li>
              <t><tt>certReferences</tt> is a list of references to one or more of the
              certification requests contained within a <tt>PKIData</tt>. Each body
              part identifier of the <tt>certReferences</tt> sequence
              <bcp14>MUST</bcp14> be equal to either the <tt>bodyPartID</tt> of a
              <tt>TaggedCertificationRequest</tt> (PKCS #10) or the <tt>certReqId</tt> of the
              <tt>CertRequest</tt> within a <tt>CertReqMsg</tt> (CRMF). By definition, the
              listed extensions are to be applied to every certification
              request referenced in the <tt>certReferences</tt> sequence.  If a
              certification request corresponding to <tt>bodyPartID</tt> cannot be
              found, the <tt>CMCFailInfo</tt> with a value of <tt>badRequest</tt> is returned
              referencing this control.</t>
            </li>
            <li>
              <t><tt>extensions</tt> is a sequence of extensions to be applied to the
              referenced certification requests.</t>
            </li>
          </ul>

          <t>Servers <bcp14>MUST</bcp14> be able to process all extensions defined, but not
prohibited, in <xref target="RFC5280"/>. Servers are not required to be able to
process every X.509v3 extension transmitted using this protocol, nor
are they required to be able to process other, private extensions.
Servers are not required to put all RA-requested extensions into a
certificate. Servers are permitted to modify RA-requested
extensions. Servers <bcp14>MUST NOT</bcp14> alter an extension so as to reverse the
meaning of a client-requested extension. If a certification request
is denied due to the inability to handle a requested extension and a
response is returned, the server <bcp14>MUST</bcp14> return a <tt>CMCFailInfo</tt> with the
value of <tt>unsupportedExt</tt>.</t>
          <t>If multiple Add Extensions controls exist in a Full PKI Request, the
exact behavior is left up to the CA policy. However, it is
recommended that the following policy be used. These rules would be
applied to individual extensions within an Add Extensions control (as
opposed to an "all or nothing" approach).</t>
          <ol spacing="normal" type="1"><li>
              <t>If the conflict is within a single <tt>PKIData</tt>, the certification
request would be rejected with a <tt>CMCFailInfo</tt> value of <tt>badRequest</tt>.</t>
            </li>
            <li>
              <t>If the conflict is between different <tt>PKIData</tt>, the outermost
version of the extension would be used (allowing an RA to
override the requested extension).</t>
            </li>
          </ol>
        </section>
      </section>
      <section anchor="TransactionIdentifierControlandSenderandRecipientNonceControls">
        <name>Transaction Identifier Control and Sender and Recipient Nonce Controls</name>
        <t>Transactions are identified and tracked with a transaction
identifier. If used, clients generate transaction identifiers and
retain their value until the server responds with a Full PKI Response
that completes the transaction. Servers correspondingly include
received transaction identifiers in the Full PKI Response.</t>
        <t>The Transaction Identifier control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-transactionId  OBJECT IDENTIFIER ::= { id-cmc 5 }]]></sourcecode>

        <t>The Transaction Identifier control has the ASN.1 definition:</t>

        <sourcecode type="asn.1" markers="false"><![CDATA[
  TransactionId ::= INTEGER]]></sourcecode>

        <t>The Transaction Identifier control identifies a given transaction.
It is used by client and server to manage the state of an operation.
Clients <bcp14>MAY</bcp14> include a Transaction Identifier control in a request.
If the original request contains a Transaction Identifier control,
all subsequent requests and responses <bcp14>MUST</bcp14> include the same
Transaction Identifier control.</t>
        <t>Replay protection is supported through the use of the Sender and
Recipient Nonce controls. If nonces are used, in the first message
of a transaction, a Recipient Nonce control is not transmitted; a
Sender Nonce control is included by the transaction originator and
retained for later reference. The recipient of a Sender Nonce
control reflects this value back to the originator as a Recipient
Nonce control and includes its own Sender Nonce control. Upon
receipt by the transaction originator of this response, the
transaction originator compares the value of Recipient Nonce control
to its retained value. If the values match, the message can be
accepted for further security processing. The received value for a
Sender Nonce control is also retained for inclusion in the next
message associated with the same transaction.</t>
        <t>The Sender Nonce and Recipient Nonce controls are identified by the
OIDs:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-senderNonce    OBJECT IDENTIFIER ::= { id-cmc 6 }
  id-cmc-recipientNonce OBJECT IDENTIFIER ::= { id-cmc 7 }]]></sourcecode>

        <t>The Sender Nonce control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  SenderNonce ::= OCTET STRING]]></sourcecode>

        <t>The Recipient Nonce control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  RecipientNonce ::= OCTET STRING]]></sourcecode>

        <t>Clients <bcp14>MAY</bcp14> include a Sender Nonce control in the initial PKI
Request. If a message includes a Sender Nonce control, the response
<bcp14>MUST</bcp14> include the transmitted value of the previously received Sender
Nonce control as a Recipient Nonce control and include a new value as
its Sender Nonce control.</t>
      </section>
      <section anchor="EncryptedandDecryptedPOPControls">
        <name>Encrypted and Decrypted POP Controls</name>
        <t>Servers <bcp14>MAY</bcp14> require that this POP method be used only if another POP
method is unavailable. Servers <bcp14>SHOULD</bcp14> reject all certification
requests contained within a <tt>PKIData</tt> if any required POP is missing
for any element within the <tt>PKIData</tt>.</t>
        <t>Many servers require proof that the entity that generated the
certification request actually possesses the corresponding private
component of the key pair. For keys that can be used as signature
keys, signing the certification request with the private key serves
as a POP on that key pair. With keys that can only be used for
encryption operations, POP <bcp14>MUST</bcp14> be performed by forcing the client to
decrypt a value. See <xref section="5" sectionFormat="of" target="RFC4211"/> for a detailed discussion
of POP.</t>
        <t>By necessity, POP for encryption-only keys cannot be done in one
round trip, since there are four distinct steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>Client tells the server about the public component of a new
encryption key pair.</t>
          </li>
          <li>
            <t>Server sends the client a POP challenge, encrypted with the
presented public encryption key.</t>
          </li>
          <li>
            <t>Client decrypts the POP challenge using the private key that
corresponds to the presented public key and uses it for
computing a keyed hash value sent back to the server.</t>
          </li>
          <li>
            <t>Server validates the decrypted POP challenge and continues
processing the certification request.</t>
          </li>
        </ol>
        <t>CMC defines two different controls.  The first deals with the
encrypted challenge sent from the server to the user in Step 2. The
second deals with the value derived from the decrypted challenge
sent by the client to the server in Step 3.</t>
        <t>The Encrypted POP control is used to send the encrypted challenge
	from the server to the client as part of the <tt>PKIResponse</tt>.</t>
	<aside><t>Note: It is assumed that the message sent in Step 1 above is a Full PKI
Request and that the response in Step 2 is a Full PKI Response
including a <tt>CMCFailInfo</tt> specifying that a POP is explicitly required,
and providing the POP challenge in the Encrypted POP control.</t></aside>
        <t>The Encrypted POP control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
    id-cmc-encryptedPOP OBJECT IDENTIFIER ::= { id-cmc 9 }]]></sourcecode>

        <t>The Encrypted POP control has the ASN.1 definition:</t>

        <sourcecode type="asn.1" markers="false"><![CDATA[
  EncryptedPOP ::= SEQUENCE {
    request         TaggedRequest,
    cms             ContentInfo,
    thePOPAlgID     AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}},
    witnessAlgID    AlgorithmIdentifier{DIGEST-ALGORITHM,
                        {WitnessAlgs}},
    witness         OCTET STRING
    }]]></sourcecode>

        <t>The Decrypted POP control is identified by the OID:</t>

        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-decryptedPOP  OBJECT IDENTIFIER ::= { id-cmc 10 }]]></sourcecode>

        <t>The Decrypted POP control has the ASN.1 definition:</t>

        <sourcecode type="asn.1" markers="false"><![CDATA[
  DecryptedPOP ::= SEQUENCE {
    bodyPartID      BodyPartID,
    thePOPAlgID     AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}},
    thePOP          OCTET STRING
    }]]></sourcecode>

        <t>The encrypted POP algorithm works as follows:</t>
        <ol spacing="normal" type="1"><li>
            <t>The server randomly generates the POP Proof Value and associates
it with the request.</t>
          </li>
          <li>
            <t>The server returns the Encrypted POP control with the following
fields set:  </t>
            <ul spacing="normal">
              <li>
                <t><tt>request</tt> is the original certification request (it is included
here so the client need not keep a copy of the request).</t>
              </li>
              <li>
                <t><tt>cms</tt> is an <tt>EnvelopedData</tt> or <tt>AuthEnvelopedData</tt>, the encapsulated
   content type being <tt>id-data</tt> and the content being the POP Proof
   Value; this value needs to be long enough that one cannot
   reverse the value from the <tt>witness</tt> hash. If the certification
   request contains a Subject Key Identifier (SKI) extension, then
   the recipient identifier <bcp14>SHOULD</bcp14> be the SKI. If the
   <tt>issuerAndSerialNumber</tt> form is used, the <tt>IssuerName</tt> <bcp14>MUST</bcp14> be encoded
   as <tt>NULL</tt> and the <tt>SerialNumber</tt> as the <tt>bodyPartID</tt> of the certification
   request.</t>
              </li>
              <li>
                <t><tt>thePOPAlgID</tt> identifies the algorithm to be used in computing the
return POP value.</t>
              </li>
              <li>
                <t><tt>witnessAlgID</tt> identifies the hash algorithm used on the POP Proof
Value to create the field <tt>witness</tt>.</t>
              </li>
              <li>
                <t><tt>witness</tt> is the hashed value of the POP Proof Value.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>The client decrypts the <tt>cms</tt> field to obtain the POP Proof Value.
The client computes H(POP Proof Value) using the <tt>witnessAlgID</tt> and
compares to the value of <tt>witness</tt>. If the values do not compare
or the decryption is not successful, the client <bcp14>MUST</bcp14> abort the
enrollment process. The client aborts the process by sending a
request containing an Extended CMC Status Info or a CMC Status Info control with <tt>CMCFailInfo</tt>
value of <tt>popFailed</tt>.</t>
          </li>
          <li>
            <t>The client creates the Decrypted POP control as part of a new
<tt>PKIData</tt>. The fields in the <tt>DecryptedPOP</tt> are:  </t>
            <ul spacing="normal">
              <li>
                <t><tt>bodyPartID</tt> refers to the certification request in the new PKI
Request.</t>
              </li>
              <li>
                <t><tt>thePOPAlgID</tt> is copied from the <tt>encryptedPOP</tt>.</t>
              </li>
              <li>
                <t><tt>thePOP</tt> contains the possession proof. This value is computed by
<tt>thePOPAlgID</tt> using the POP Proof Value and the request.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>The server then re-computes the value of <tt>thePOP</tt> from its cached
value and the request and compares to the value of <tt>thePOP</tt>. If
the values do not match, the server <bcp14>MUST NOT</bcp14> issue the
certificate. The server <bcp14>MAY</bcp14> reissue a new challenge or <bcp14>MAY</bcp14> fail
the request altogether.</t>
          </li>
        </ol>
        <t>When defining the algorithms for <tt>thePOPAlgID</tt> and <tt>witnessAlgID</tt>, care
must be taken to ensure that the result of <tt>witnessAlgID</tt> is not a
useful value to shortcut the computation with <tt>thePOPAlgID</tt>. The POP
Proof Value is used as the secret value in the HMAC algorithm and the
request is used as the data. If the POP Proof Value is greater than
64 bytes, only the first 64 bytes of the POP Proof Value is used as
the secret.</t>
        <t>One potential problem with the algorithm above is the amount of state
that a CA needs to keep in order to verify the returned POP value.
The following describes one of many possible ways of addressing the
problem by reducing the amount of state kept on the CA to a single
(or small set) of values.</t>
        <ol spacing="normal" type="1"><li>
          <t>Server generates random seed x, constant across all requests.
	  (The value of x would normally be altered on a regular basis and
kept for a short time afterwards.)</t>
          </li>
          <li>
            <t>For certification request R, server computes y = F(x,R). F can
be, for example, HMAC-SHA256(x,R). All that's important for
statelessness is that y be consistently computable with only
known state constant x and function F, other inputs coming from
the certification request structure. y should not be predictable
based on knowledge of R, thus the use of a one-way function like
HMAC-SHA256.</t>
          </li>
        </ol>
      </section>
      <section anchor="RAPOPWitnessControl">


        <name>RA POP Witness Control</name>
        <t>In a certification request scenario that involves an RA, the CA may
allow (or require) that the RA perform the POP protocol with the
entity that generated the certification request. In this case, the
RA needs a way to inform the CA that it has done the POP. The RA POP
Witness control addresses this issue.</t>
        <t>The RA POP Witness control is identified by the OID:</t>

        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-lraPOPWitness OBJECT IDENTIFIER ::= { id-cmc 11 }]]></sourcecode>

        <t>The RA POP Witness control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  LraPopWitness ::= SEQUENCE {
    pkiDataBodyid   BodyPartID,
    bodyIds         SEQUENCE OF BodyPartID
    }]]></sourcecode>

        <t>The fields in <tt>LraPopWitness</tt> have the following meaning:</t>
        <ul spacing="normal">
          <li>
            <t><tt>pkiDataBodyid</tt> contains the body part identifier of the nested
            <tt>TaggedContentInfo</tt> containing the client's Full PKI Request.
            <tt>pkiDataBodyid</tt> is set to 0 if the request is in the current
            <tt>PKIData</tt>.</t>
          </li>
          <li>
            <t><tt>bodyIds</tt> is a list of certification requests for which the RA
            has performed an out-of-band authentication. The method of
            authentication could be archival of private key material,
            challenge-response, or other means.</t>
          </li>
        </ul>

        <t>If a certification server does not allow an RA to do the POP
verification, it returns a <tt>CMCFailInfo</tt> with the value of <tt>popFailed</tt>.
The CA <bcp14>MUST NOT</bcp14> start a challenge-response to reverify the POP
itself.</t>
      </section>
      <section anchor="GetCertificateControl">
        <name>Get Certificate Control</name>
        <t>Everything described in this section is optional to implement.</t>
        <t>The Get Certificate control is used to retrieve a previously issued
certificate from a certificate repository. A CA, an RA, or an
independent service may provide this repository. The clients
expected to use this facility are those where a fully deployed
directory is either infeasible or undesirable.</t>
        <t>The Get Certificate control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-getCert OBJECT IDENTIFIER ::= { id-cmc 15 }]]></sourcecode>

        <t>The Get Certificate control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  GetCert ::= SEQUENCE {
    issuerName    GeneralName,
    serialNumber  INTEGER }]]></sourcecode>

        <t>The fields in <tt>GetCert</tt> have the following meaning:</t>
        <ul spacing="normal">
          <li>
            <t><tt>issuerName</tt> is the name of the certificate issuer.</t>
          </li>
          <li>
            <t><tt>serialNumber</tt> identifies the certificate to be retrieved.</t>
          </li>
        </ul>

        <t>The server that responds to this request places the requested
certificate in the <tt>certificates</tt> field of a <tt>SignedData</tt>. If the Get
Certificate control is the only control in a Full PKI Request, the
response should be a Simple PKI Response.</t>
      </section>
      <section anchor="GetCRLControl">
        <name>Get CRL Control</name>
        <t>Everything described in this section is optional to implement.</t>
        <t>The Get CRL control is used to retrieve CRLs from a repository of
CRLs. A CA, an RA, or an independent service may provide this
repository. The clients expected to use this facility are those
where a fully deployed directory is either infeasible or undesirable.</t>
        <t>The Get CRL control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-getCRL OBJECT IDENTIFIER ::= { id-cmc 16 }]]></sourcecode>

        <t>The Get CRL control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  GetCRL ::= SEQUENCE {
    issuerName    Name,
    cRLName       GeneralName OPTIONAL,
    time          GeneralizedTime OPTIONAL,
    reasons       ReasonFlags OPTIONAL }]]></sourcecode>

        <t>The fields in a <tt>GetCRL</tt> have the following meanings:</t>
        <ul spacing="normal">
          <li>
            <t><tt>issuerName</tt> is the name of the CRL issuer.</t>
          </li>
          <li>
            <t><tt>cRLName</tt> may be the value of <tt>CRLDistributionPoints</tt> in the
            subject certificate or equivalent value in the event the
            certificate does not contain such a value.</t>
          </li>
          <li>
            <t><tt>time</tt> is used by the client to specify from among potentially
            several issues of CRL that one whose <tt>thisUpdate</tt> value is less than
            but nearest to the specified time. In the absence of a time
            component, the CA always returns with the most recent CRL.</t>
          </li>
          <li>
            <t><tt>reasons</tt> is used to specify from among CRLs partitioned by
            revocation reason. Implementers should bear in mind that while a
            specific revocation request has a single <tt>CRLReason</tt> code -- and
            consequently entries in the CRL would have a single <tt>CRLReason</tt> code
            value -- a single CRL can aggregate information for one or more
            <tt>reasonFlags</tt>.</t>
          </li>
        </ul>

        <t>A server responding to this request places the requested CRL in the
<tt>crls</tt> field of a <tt>SignedData</tt>. If the Get CRL control is the only
control in a Full PKI Request, the response should be a Simple PKI
Response.</t>
      </section>
      <section anchor="RevocationRequestControl">
        <name>Revocation Request Control</name>
        <t>The Revocation Request control is used to request that a certificate
be revoked.</t>
        <t>The Revocation Request control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-revokeRequest OBJECT IDENTIFIER ::= { id-cmc 17 }]]></sourcecode>

        <t>The Revocation Request control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  RevokeRequest ::= SEQUENCE {
    issuerName      Name,
    serialNumber    INTEGER,
    reason          CRLReason,
    invalidityDate  GeneralizedTime OPTIONAL,
    sharedSecret    OCTET STRING OPTIONAL,
    comment         UTF8string OPTIONAL }]]></sourcecode>

        <t>The fields of <tt>RevokeRequest</tt> have the following meaning:</t>
        <ul spacing="normal">
          <li>
            <t><tt>issuerName</tt> is the name of the certificate issuer.</t>
          </li>
          <li>
            <t><tt>serialNumber</tt> is the serial number of the certificate to be revoked.</t>
          </li>
          <li>
            <t><tt>reason</tt> is the suggested <tt>CRLReason</tt> code for why the certificate
            is being revoked. The CA can use this value at its discretion in
            building the CRL.</t>
          </li>
          <li>
            <t><tt>invalidityDate</tt> is the suggested value for the Invalidity Date
            CRL Extension. The CA can use this value at its discretion in
            building the CRL.</t>
          </li>
          <li>
            <t><tt>sharedSecret</tt> is a secret value registered by the EE when the
            certificate was obtained to allow for revocation of a certificate
            in the event of key loss.</t>
          </li>
          <li>
            <t><tt>comment</tt> is a human-readable comment.</t>
          </li>
        </ul>

        <t>For a revocation request to be reliable in the event of a dispute, a
strong proof-of-origin is required. However, in the instance when an
EE has lost use of its signature private key, it is impossible for
the EE to produce a digital signature (prior to the certification of
a new signature key pair). The Revoke Request control allows the EE
to send the CA a shared-secret that may be used as an alternative
authenticator in the instance of loss of use of the EE's signature
private key. The acceptability of this practice is a matter of local
security policy.</t>
        <t>It is possible to sign the revocation for the lost certificate with a
different certificate in some circumstances. A client can sign a
revocation for an encryption key with a signing certificate if the
name information matches. Similarly, an administrator or RA can be
assigned the ability to revoke the certificate of a third party.
Acceptance of the revocation by the server depends on local policy in
these cases.</t>
        <t>Clients <bcp14>MUST</bcp14> provide the capability to produce a digitally signed
Revocation Request control. Clients <bcp14>SHOULD</bcp14> be capable of producing
an unsigned Revocation Request control containing the EE shared-secret (the unsigned message consisting of a <tt>SignedData</tt> with no
signatures). If a client provides shared-secret-based self-revocation, the client <bcp14>MUST</bcp14> be capable of producing a Revocation
Request control containing the shared-secret. Servers <bcp14>MUST</bcp14> be
capable of accepting both forms of revocation requests.</t>
        <t>The structure of an unsigned, shared-secret-based revocation request
is a matter of local implementation. The shared-secret does not need
to be encrypted when sent in a Revocation Request control. The
shared-secret has a one-time use (i.e., it is used to request
revocation of the certificate), and public knowledge of the shared-secret after the certificate has been revoked is not a problem.
Clients need to inform users that the same shared-secret <bcp14>SHOULD NOT</bcp14>
be used for multiple certificates.</t>
        <t>A Full PKI Response <bcp14>MUST</bcp14> be returned for a revocation request.</t>
      </section>
      <section anchor="RegistrationandResponseInformationControls">
        <name>Registration and Response Information Controls</name>
        <t>The Registration Information control allows for clients to pass
additional information as part of a Full PKI Request.</t>
        <t>The Registration Information control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-regInfo OBJECT IDENTIFIER ::= { id-cmc 18 }]]></sourcecode>

        <t>The Registration Information control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  RegInfo ::= OCTET STRING]]></sourcecode>
        <t>The content of this data is
based on bilateral agreement between the
client and server.</t>
        <t>The Response Information control allows a server to return additional
information as part of a Full PKI Response.</t>
        <t>The Response Information control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-responseInfo  OBJECT IDENTIFIER ::= { id-cmc 19 }]]></sourcecode>

        <t>The Response Information control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  ResponseInfo ::= OCTET STRING]]></sourcecode>

        <t>The content of this data is based on bilateral agreement between the
client and server.</t>
      </section>
      <section anchor="QueryPendingControl">
        <name>Query Pending Control</name>
        <t>In some environments, process requirements for manual intervention or
other identity checks can delay the return of the certificate. The
Query Pending control allows clients to query a server about the
state of a pending certification request. The server returns a
<tt>pendToken</tt> as part of the Extended CMC Status Info and the CMC Status
Info controls (in the <tt>otherInfo</tt> field). The client copies the
<tt>pendToken</tt> into the Query Pending control to identify the correct
certification request to the server. The server returns a suggested
time for the client to query for the state of a pending certification
request.</t>
        <t>The Query Pending control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-queryPending  OBJECT IDENTIFIER ::= { id-cmc 21 }]]></sourcecode>

        <t>The Query Pending control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  QueryPending ::= OCTET STRING]]></sourcecode>

        <t>If a server returns a pending or partial <tt>CMCStatusInfo</tt> (the
transaction is still pending), the <tt>otherInfo</tt> <bcp14>MAY</bcp14> be omitted. If the
<tt>otherInfo</tt> is not omitted, the value of <tt>pendInfo</tt> <bcp14>MUST</bcp14> be the same as
the original <tt>pendInfo</tt> value.</t>
      </section>
      <section anchor="ConfirmCertificateAcceptanceControl">
        <name>Confirm Certificate Acceptance Control</name>
        <t>Some CAs require that clients give a positive confirmation that the
certificates issued to the EE are acceptable. The Confirm
Certificate Acceptance control is used for that purpose. If the CMC
Status Info on a PKI Response is <tt>confirmRequired</tt>, then the client
<bcp14>MUST</bcp14> return a Confirm Certificate Acceptance control contained in a
Full PKI Request.</t>
        <t>Clients <bcp14>SHOULD</bcp14> wait for the PKI Response from the server that the
confirmation has been received before using the certificate for any
purpose.</t>
        <t>The Confirm Certificate Acceptance control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-confirmCertAcceptance  OBJECT IDENTIFIER ::= { id-cmc 24 }]]></sourcecode>

        <t>The Confirm Certificate Acceptance control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  CMCCertId ::= IssuerAndSerialNumber]]></sourcecode>

        <t><tt>CMCCertId</tt> contains the issuer and serial number of the certificate
being accepted.</t>
        <t>Servers <bcp14>MUST</bcp14> return a Full PKI Response for a Confirm Certificate
Acceptance control.</t>
        <t>Note that if the CA includes this control, there will be two full
round trips of messages, as follows:</t>
        <ol spacing="normal" type="1"><li>
            <t>The client sends the certification request to the CA.</t>
          </li>
          <li>
            <t>The CA returns a Full PKI Response with the certificate and this
control.</t>
          </li>
          <li>
            <t>The client sends a Full PKI Request to the CA with an Extended
CMC Status Info or a CMC Status Info control accepting and a Confirm Certificate
Acceptance control or an Extended CMC Status Info or a CMC Status Info control
rejecting the certificate.</t>
          </li>
          <li>
            <t>The CA sends a Full PKI Response to the client with an Extended
CMC Status Info of success.</t>
          </li>
        </ol>
      </section>
      <section anchor="PublishTrustAnchorsControl">
        <name>Publish Trust Anchors Control</name>
        <t>The Publish Trust Anchors control allows for the distribution of set
trust anchors from a central authority to an EE. The same control is
also used to update the set of trust anchors. Trust anchors are
distributed in the form of certificates. These are expected, but not
required, to be self-signed certificates. Information is extracted
from these certificates to set the inputs to the certificates
validation algorithm in <xref target="RFC5280" section="6.1.1"/>.</t>
        <t>The Publish Trust Anchors control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-trustedAnchors  OBJECT IDENTIFIER ::= { id-cmc 26 }]]></sourcecode>

        <t>The Publish Trust Anchors control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  PublishTrustAnchors ::= SEQUENCE {
    seqNumber      INTEGER,
    hashAlgorithm  AlgorithmIdentifier{DIGEST-ALGORITHM,
                       {HashAlgorithms}},
    anchorHashes   SEQUENCE OF OCTET STRING
  }]]></sourcecode>

        <t>The fields in <tt>PublishTrustAnchors</tt> have the following meaning:</t>
        <ul spacing="normal">
          <li>
            <t><tt>seqNumber</tt> is an integer indicating the location within a
            sequence of updates.</t>
          </li>
          <li>
            <t><tt>hashAlgorithm</tt> is the identifier and parameters for the hash
            algorithm that is used in computing the values of the <tt>anchorHashes</tt>
            field. All implementations <bcp14>MUST</bcp14> implement SHA-256
            for this field.</t>
          </li>
          <li>
            <t><tt>anchorHashes</tt> are the hashes for the certificates that are to be
            treated as trust anchors by the client. The actual certificates
            are transported in the <tt>certificates</tt> field of the containing
            <tt>SignedData</tt> structure.</t>
          </li>
        </ul>

        <t>While it is recommended that the sender place the certificates that
are to be trusted in the PKI Response, it is not required as the
certificates should be obtainable using normal discovery techniques.</t>
        <t>Prior to accepting the trust anchor's changes, a client <bcp14>MUST</bcp14> at least
do the following: validate the signature on the PKI Response to a
current trusted anchor, check with policy to ensure that the signer
is permitted to use the control, validate that the authenticated
publish time in the signature is near to the current time, and
validate that the sequence number is greater than the previously used
one.</t>
        <t>In the event that multiple agents publish a set of trust anchors, it
is up to local policy to determine how the different trust anchors
should be combined. Clients <bcp14>SHOULD</bcp14> be able to handle the update of
multiple trust anchors independently.</t>

<aside><t>Note: Clients that handle this control must use extreme care in
validating that the operation is permissible. Incorrect handling of
this control allows for an attacker to change the set of trust
anchors on the client.</t></aside>

      </section>
      <section anchor="AuthenticatedDataControl">
        <name>Authenticated Data Control</name>
        <t>The Authenticated Data control allows a server to provide data back
to the client in an authenticated manner. This control uses the
Authenticated Data structure to allow for validation of the data.
This control is used where the client has a shared-secret and a
secret identifier with the server, but where a trust anchor has not
yet been downloaded onto the client so that a signing certificate for
the server cannot be validated. The specific case that this control
was created for use with is the Publish Trust Anchors control
(<xref target="PublishTrustAnchorsControl"/>), but it may be used in other cases as well.</t>
        <t>The Authenticated Data control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-authData OBJECT IDENTIFIER ::= { id-cmc 27 }]]></sourcecode>

        <t>The Authenticated Data control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  AuthPublish ::= BodyPartID]]></sourcecode>

        <t><tt>AuthPublish</tt> is a body part identifier that refers to a member of the
<tt>cmsSequence</tt> element for the current PKI Response or PKI Data.  The
<tt>cmsSequence</tt> element is <tt>AuthenticatedData</tt>. The encapsulated content
is an <tt>id-cct-PKIData</tt>. The controls in the <tt>controlSequence</tt> need to be
	processed if the authentication succeeds.</t>
	<aside><t>Note: One example is the
Publish Trust Anchors control in <xref target="PublishTrustAnchorsControl"/>.</t></aside>
        <t>If the authentication operation fails, the <tt>CMCFailInfo</tt> <tt>authDataFail</tt>
is returned.</t>
      </section>
      <section anchor="BatchRequestandResponseControls">
        <name>Batch Request and Response Controls</name>
        <t>These controls allow for an RA to collect multiple requests together
into a single Full PKI Request and forward it to a CA. The server
would then process the requests and return the results in a Full PKI
Response.</t>
        <t>The Batch Request control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-batchRequests OBJECT IDENTIFIER ::= { id-cmc 28 }]]></sourcecode>

        <t>The Batch Response control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-batchResponses OBJECT IDENTIFIER ::= { id-cmc 29 }]]></sourcecode>

        <t>Both the Batch Request and Batch Response controls have the ASN.1
definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  BodyPartList ::= SEQUENCE OF BodyPartID]]></sourcecode>

        <t>The data associated with these controls is a set of body part
identifiers. Each request/response is placed as an individual entry
in the <tt>cmcSequence</tt> of the new <tt>PKIData</tt>/<tt>PKIResponse</tt>. The body part
identifiers of these entries are then placed in the body part list
associated with the control.</t>
        <t>When a server processes a Batch Request control, it <bcp14>MAY</bcp14> return the
responses in one or more PKI Responses. A <tt>CMCStatus</tt> value of <tt>partial</tt>
is returned on all but the last PKI Response. The <tt>CMCStatus</tt> would be
<tt>success</tt> if the Batch Request control was processed; the responses
are created with their own <tt>CMCStatus</tt> code. Errors on individual
requests are not propagated up to the top level.</t>
        <t>When a PKI Response with a <tt>CMCStatus</tt> value of <tt>partial</tt> is returned,
the Query Pending control (<xref target="QueryPendingControl"/>) is used to retrieve
additional results. The returned status includes a suggested time
after which the client should ask for the additional results.</t>
      </section>
      <section anchor="PublicationInformationControl">
        <name>Publication Information Control</name>
        <t>The Publication Information control allows for modifying publication
of already issued certificates, both for publishing and removal from
publication. A common usage for this control is to remove an
existing certificate from publication during a rekey operation. This
control should always be processed after the issuance of new
certificates and revocation requests. This control should not be
processed if a certificate failed to be issued.</t>
        <t>The Publication Information control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-publishCert OBJECT IDENTIFIER ::= { id-cmc 30 }]]></sourcecode>

        <t>The Publication Information control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  CMCPublicationInfo ::= SEQUENCE {
    hashAlg        AlgorithmIdentifier{DIGEST-ALGORITHM,
                         {HashAlgorithms}},
    certHashes     SEQUENCE OF OCTET STRING,
    pubInfo        PKIPublicationInfo
    }

  PKIPublicationInfo ::= SEQUENCE {
    action     INTEGER {
                        dontPublish (0),
                        pleasePublish (1) },
    pubInfos  SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL }

    -- pubInfos MUST NOT be present if action is "dontPublish"
    -- (if action is "pleasePublish" and pubInfos is omitted,
    -- "dontCare" is assumed)

  SinglePubInfo ::= SEQUENCE {
    pubMethod    INTEGER {
                         dontCare    (0),
                         x500        (1),
                         web         (2),
                         ldap        (3) },
     pubLocation  GeneralName OPTIONAL }
  }]]></sourcecode>

        <t>The fields in <tt>CMCPublicationInfo</tt> have the following meaning:</t>
        <ul spacing="normal">
          <li>
            <t><tt>hashAlg</tt> is the algorithm identifier of the hash algorithm used
            to compute the values in <tt>certHashes</tt>.</t>
          </li>
	  <li>
            <t><tt>certHashes</tt> are the hashes of the certificates for which
            publication is to change.</t>
          </li>
          <li>
            <t><tt>pubInfo</tt> is the information where and how the certificates
            should be published. The fields in <tt>pubInfo</tt> (taken from <xref
            target="RFC4211"/><xref target="RFC5912"/>) have the following meanings:</t>
                <ul spacing="normal">
                  <li>
                    <t><tt>action</tt> indicates the action the service should take. It
                    has two values:</t>
                    <ul spacing="normal">
                      <li>
                        <t><tt>dontPublish</tt> indicates that the PKI should not
                        publish the certificate (this may indicate that the
                        requester intends to publish the certificate
                        themselves). <tt>dontPublish</tt> has the added connotation of
                        removing from publication the certificate if it is
                        already published.</t>
		      </li>
                      <li>
                        <t><tt>pleasePublish</tt> indicates that the PKI
                        <bcp14>MAY</bcp14> publish the certificate using
                        whatever means it chooses unless <tt>pubInfos</tt> is
                        present. Omission of the CMC Publication Info control
                        results in the same behavior.</t>
                      </li>
                    </ul>

                  </li>
                  <li>
                    <t><tt>pubInfos</tt> indicates how (e.g., X.500, Web, IP
                    Address) the PKI <bcp14>SHOULD</bcp14> publish the
                    certificate.</t>
                  </li>
                </ul>
              </li>
            </ul>

        <t>A single certificate <bcp14>SHOULD NOT</bcp14> appear in more than one Publication
Information control. The behavior is undefined in the event that it
does.</t>
      </section>
      <section anchor="ControlProcessedControl">
        <name>Control Processed Control</name>
        <t>The Control Processed control allows an RA to indicate to subsequent
control processors that a specific control has already been
processed. This permits an RA in the middle of a processing stream
to process a control defined either in a local context or in a
subsequent document.</t>
        <t>The Control Processed control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-controlProcessed  OBJECT IDENTIFIER ::= { id-cmc 32 }]]></sourcecode>

        <t>The Control Processed control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  ControlList ::= SEQUENCE {
    bodyList        SEQUENCE SIZE (1..MAX) OF BodyPartReference
  }]]></sourcecode>

        <ul spacing="normal">
              <li>
                <t><tt>bodyList</tt> is a series of body part identifiers that form a
                path to each of the controls that were processed by the
                RA. This control is only needed for those controls that are
                not part of this standard and thus would cause an error
                condition of a server attempting to deal with a control not
                defined in this document.  No error status is needed since an
                error causes the RA to return the request to the client with
                the error rather than passing the request on to the next
                server in the processing list.</t>
              </li>
            </ul>

      </section>
      <section anchor="RAIdentityProofWitnessControl">
        <name>RA Identity Proof Witness Control</name>
        <t>The RA Identity Proof Witness control allows an RA to indicate to
subsequent control processors that all of the Proof-of-Identity
requirements have been met.  This permits the Proof-of-Identity to be
performed at a location closer to the EE.  For example, the
Proof-of-Identity could be done at multiple physical locations, while
the CA could operate on a company-wide basis.  The RA performs the
Proof-of-Identity, and potentially other tasks that require the secret
to be used, while the CA is prevented from knowing the secret.  If
checks related to Proof-of-Identity fail, then the RA returns an error to the client
denoting that fact.</t>
        <t>The RA Identity Proof Witness control is identified by the OID:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
 id-cmc-raIdentityWitness OBJECT IDENTIFIER ::= { id-cmc 35 }]]></sourcecode>

        <t>The RA Identity Proof Witness control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  cmc-raIdentityWitness CMC-CONTROL ::=
    { BodyPartPath IDENTIFIED BY id-cmc-raIdentityWitness }]]></sourcecode>

        <ul spacing="normal">
          <li>
            <t><tt>cmc-raIdentityWitness</tt> is a CMC-CONTROL associating the OID <tt>id-cmc-raIdentityWitness</tt> and the type <tt>BodyPartPath</tt>.
            This object is omitted from the 1988 module.  The object is added
            to the object set <tt>Cmc-Control-Set</tt>.  The control is permitted to
            appear only in the control sequence of a <tt>PKIData</tt> object.  It
            <bcp14>MUST NOT</bcp14> appear in the control sequence of a
            <tt>PKIResponse</tt>.  The control is permitted to be used only by an RA.
            The control may appear multiple times in a control sequence with
            each occurrence pointing to a different object.</t>
          </li>
          <li>
            <t><tt>id-cmc-raIdentityWitness</tt> is the OID used to
            identify this CMC control.</t>
          </li>
          <li>
            <t><tt>BodyPartPath</tt> is the type structure associated with the control.
            The syntax of <tt>BodyPartPath</tt> is defined in <xref
            target="BodyPartIdentification"/>.  The path contains a sequence
            of body part identifiers leading to one of the following
            items:</t>
                <ul spacing="normal">
                  <li>
                    <t>Identity Proof control if the RA verified the Proof-of-Identity
                    in this control.</t>
                  </li>
                  <li>
                    <t>Identity Proof Version 2 control if the RA verified the
                    Proof-of-Identity in this control.</t>
                  </li>
                  <li>
                    <t>Full PKI Request if the RA performed an out-of-band
                    identity proof for this request.  The request
                    <bcp14>SHOULD NOT</bcp14> contain either Identity Proof
                    control.</t>
                  </li>
                  <li>
                    <t>Simple PKI Request if the RA performed an out-of-band
                    identity proof for this request.</t>
                  </li>
		</ul>
              </li>
            </ul>

        <t>The RA Identity Proof Witness control will frequently be associated
with a Modify Certification Request control, which changes the name
fields in the associated certification requests.  This is because the
RA knows the actual name to be assigned to the entity requesting the
certificate, and the EE does not yet have the details of the
	name.</t>
	<aside><t>Note: The association would be set up by the operator at the time
the shared-secret was generated by the RA.</t></aside>
        <t>When this control is placed in a message, it is <bcp14>RECOMMENDED</bcp14> that the
Control Processed control be placed in the body sequence as well.
Using the explicit new control rather than implicitly relying on the
Control Processed control is important due to the need to know
explicitly which Proof-of-Identity have been performed.  The new
control also allows an RA to state that out-of-band Proof-of-Identity
have been performed.</t>
        <t>When the Proof-of-Identity is performed by an RA, the RA also <bcp14>MUST</bcp14>
validate the linking between the Proof-of-Identity and the name
information wrapped inside of the key proof-of-possession.</t>
</section>

      <section anchor="ResponseBodyControl">
        <name>Response Body Control</name>
        <t>The Response Body control is designed to enable an RA to inform an EE
that there is an embedded response message that <bcp14>MUST</bcp14> be processed as
part of the processing of this message.  This control is designed to
be used in a couple of different cases where an RA has done some
additional processing for the certification request, e.g., as key
generation.  When an RA performs key generation on behalf of an EE,
the RA <bcp14>MUST</bcp14> respond with both the original response message from the
certificate issuer (containing the certificate issuance) as part of
the response generated by the RA (containing the new key).  Another
case where this is useful is when the secret is shared between the RA
and the EE (rather than between the CA and the EE) and the RA returns
the Publish Trust Anchors control (to populate the correct trust
points).</t>
<t>The Response Body control is identified by the OID:</t>

        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-cmc-responseBody OBJECT IDENTIFIER ::= { id-cmc 37 }]]></sourcecode>

        <t>The Response Body control has the ASN.1 definition:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  cmc-responseBody CMC-CONTROL ::=
     { BodyPartPath IDENTIFIED BY id-cmc-responseBody }]]></sourcecode>

        <ul spacing="normal">
          <li>
            <t><tt>cmc-responseBody</tt> is a CMC-CONTROL associating the OID <tt>id-cmc-responseBody</tt> with the type <tt>BodyPartPath</tt>.  This
            object is omitted from the 1988 module.  The object is added to
            the object set <tt>Cmc-Control-Set</tt>.  The control is permitted to
            appear only in the control sequence of a <tt>PKIResponse</tt>.  The control
            <bcp14>MUST NOT</bcp14> appear in the control sequence of a
            <tt>PKIData</tt>.  It is expected that only an intermediary RA will use
            this control; a CA generally does not need the control as it is
            creating the original innermost message.</t>
          </li>
          <li>
            <t><tt>id-cmc-responseBody</tt> is the OID used to identify
            this CMC control.</t>
          </li>
          <li>
            <t><tt>BodyPartPath</tt> is the type structure associated with the control.
            The syntax of <tt>BodyPartPath</tt> is defined in <xref
            target="BodyPartIdentification"/>.  The path contains a sequence
            of body part identifiers leading to a <tt>cmsSequence</tt> item, which
            contains a <tt>PKIResponse</tt> within it.</t>
          </li>
        </ul>

      </section>
    </section>
    <section anchor="OtherAttributes">
      <name>Other Attributes</name>
      <t>There are a number of different locations where various types of
attributes can be placed in either a CMC request or a CMC response
message.  These places include the attribute sequence of a PKCS #10
request, controls in <xref section="6" sectionFormat="of" target="RFC4211"/>, and the various
CMS attribute sequences.</t>
      <section anchor="ChangeSubjectNameAttribute">
        <name>Change Subject Name Attribute</name>
        <t>The Client Name Change Request attribute is designed for a client to
ask for a change in its name as part of a certification request.
Because of security issues, this cannot be done in the simple way of
just changing the requested subject's name in the certificate template.
The name in the certification request <bcp14>MUST</bcp14> match the name in the
certificate used to verify the request, in order for identity and
possession proofs to be correctly applied.</t>
        <t>The relevant ASN.1 for the Client Name Change Request attribute is as
follows:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  at-cmc-changeSubjectName ATTRIBUTE ::= {
      TYPE ChangeSubjectName IDENTIFIED BY id-cmc-changeSubjectName }

  id-cmc-changeSubjectName OBJECT IDENTIFIER ::= { id-cmc 36 }

  ChangeSubjectName ::= SEQUENCE {
    subject             Name OPTIONAL,
    subjectAlt          [1] GeneralNames OPTIONAL
  }
  (WITH COMPONENTS {..., subject PRESENT} |
   WITH COMPONENTS {..., subjectAlt PRESENT} )]]></sourcecode>

        <t>The attribute is designed to be used as an <tt>ATTRIBUTE</tt> object.  As
such, the attribute is placed in one of the following two places:</t>
        <ul spacing="normal">
          <li>
            <t>The <tt>attributes</tt> field in a <tt>CertificationRequest</tt>.</t>
          </li>
          <li>
            <t>The <tt>controls</tt> field of a <tt>CertRequest</tt> for a CRMF.</t>
          </li>
        </ul>

        <t>The control is identified by the OID
<tt>id-cmc-changeSubjectName</tt>.</t>
        <t>The ASN.1 type associated with control is <tt>ChangeSubjectName</tt>.  The
fields of the structure are configured as follows:</t>

        <ul spacing="normal">
          <li>
            <t><tt>subject</tt> contains the requested subject name for the new
            certificate.</t>
          </li>
          <li>
            <t><tt>subjectAlt</tt> contains the requested subject alternative name for
            the new certificate.</t>
          </li>
        </ul>

        <t>At least one of the fields in the sequence <bcp14>MUST</bcp14> be present when
encoding the structure.</t>
        <t>When the CA processes this attribute in a certification request, it
will do the following:</t>
        <ol spacing="normal" type="1"><li>
            <t>If present, the <tt>subject</tt> field is copied to the <tt>name</tt> field of the
template.  If the <tt>subject</tt> field is absent, the <tt>name</tt> field of the
template will be set to an empty sequence.</t>
          </li>
          <li>
            <t>If present, the <tt>subjectAlt</tt> field is used as the content of a
Subject Alternative Name extension in the certificate.  If the <tt>subjectAlt</tt>
field is absent, the Subject Alternative Name extension is removed from the
certificate template.</t>
          </li>
        </ol>
      </section>
    </section>
    <section anchor="RegistrationAuthorities">
      <name>Registration Authorities</name>
      <t>This specification permits the use of RAs. An RA sits between the EE
and the CA. From the EE's perspective, the RA appears to be the CA,
and from the server, the RA appears to be a client. RAs receive the
PKI Requests, perform local processing and then forward them to
CAs. Some of the types of local processing that an RA can perform
include:</t>
      <ul spacing="normal">
        <li>
          <t>Batching multiple PKI Requests together,</t>
        </li>
        <li>
          <t>Performing challenge/response POP proofs,</t>
        </li>
        <li>
          <t>Adding private or standardized certificate extensions to all
certification requests,</t>
        </li>
        <li>
          <t>Archiving private key material,</t>
        </li>
        <li>
          <t>Routing requests to different CAs.</t>
        </li>
      </ul>
      <t>When an RA receives a PKI Request, it has three options: it may
forward the PKI Request without modification, it may add a new
wrapping layer to the PKI Request, or it may remove one or more
existing layers and add a new wrapping layer.</t>
      <t>When an RA adds a new wrapping layer to a PKI Request, it creates a
new <tt>PKIData</tt>. The new layer contains any controls required (for
example, if the RA does the POP proof for an encryption key or the
Add Extension control to modify a PKI Request) and the client PKI
Request. The client PKI Request is placed in the <tt>cmsSequence</tt> if it
is a Full PKI Request and in the <tt>reqSequence</tt> if it is a Simple PKI
Request. If an RA is batching multiple client PKI Requests together,
then each client PKI Request is placed into the appropriate location
in the RA's <tt>PKIData</tt> object along with all relevant controls.</t>
      <t>If multiple RAs are in the path between the EE and the CA, this will
lead to multiple wrapping layers on the request.</t>
      <t>In processing a PKI Request, an RA <bcp14>MUST NOT</bcp14> alter any certification
requests (PKCS #10 or CRMF) as any alteration would invalidate the
signature on the certification request and thus the POP for the
private key.</t>
      <t>An example of how this would look is illustrated by the following
figure:</t>
      <artwork><![CDATA[
  SignedData (by RA)
     PKIData
       controlSequence
         RA added control statements
       reqSequence
         Zero or more Simple PKI Requests from clients
        cmsSequence
             Zero or more Full PKI Requests from clients
               SignedData (signed by client)
               PKIData]]></artwork>

      <t>Under some circumstances, an RA is required to remove wrapping
layers. The following sections look at the processing required if
encryption, signing, and authenticated encryption layers need to
be removed.</t>
      <section anchor="EncryptionRemoval">
        <name>Encryption Removal</name>

        <t>There are two cases that require an RA to remove or change encryption in a PKI Request; both cases are true regardless of whether <tt>EnvelopedData</tt> or <tt>AuthEnvelopedData</tt> is used.  In the first case, the encryption was applied for
the purposes of protecting the entire PKI Request from unauthorized
entities. If the CA does not have a <tt>RecipientInfo</tt> entry in the
encryption layer, the RA <bcp14>MUST</bcp14> remove the encryption layer. The RA
<bcp14>MAY</bcp14> add a new encryption layer with or without adding a new signing
layer.</t>
        <t>The second change of encryption that may be required is to change the
encryption inside of a signing layer. In this case, the RA <bcp14>MUST</bcp14>
remove all signing layers containing the encryption. All control
statements <bcp14>MUST</bcp14> be merged according to local policy rules as each
signing layer is removed and the resulting merged controls <bcp14>MUST</bcp14> be
placed in a new signing layer provided by the RA. If the signing
layer provided by the EE needs to also be removed, the RA can also
remove this layer.</t>
      </section>
      <section anchor="SignatureRemoval">
        <name>Signature Layer Removal</name>
        <t>Only two instances exist where an RA should remove a signature layer
on a Full PKI Request: if an encryption layer needs to be modified
within the request or if a CA will not accept secondary delegation
(i.e., multiple RA signatures). In all other situations, RAs <bcp14>SHOULD
NOT</bcp14> remove a signing layer from a PKI Request.</t>
        <t>If an RA removes a signing layer from a PKI Request, all control
statements <bcp14>MUST</bcp14> be merged according to local policy rules. The
resulting merged control statements <bcp14>MUST</bcp14> be placed in a new signing
layer provided by the RA.</t>
      </section>
    </section>
    <section anchor="CertificateRequirements">
      <name>CMC Infrastructure Certificate Requirements</name>
      <t>Certificates for servers used in the CMC protocol <bcp14>SHOULD</bcp14> conform to
the profile defined in <xref target="RFC5280"/>.  This document defines some
additional items that <bcp14>MAY</bcp14> appear in CMC server certificates.  <xref target="ExtendedKeyUsage"/>
defines some additional values for the EKU
extension.  <xref target="SubjectInformationAccess"/> defines a Subject Information Access
value that allows for a CMC certificate to publish information on how
to contact the services it provides.</t>
      <section anchor="ExtendedKeyUsage">
        <name>Extended Key Usage</name>
        <t>The EKU extension is used to restrict the use of
a certificate to specific applications.  We define three different
EKUs in this document.  The ASN.1 to define these EKUs is:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-kp-cmcCA      OBJECT IDENTIFIER ::= { id-kp 27 }
  id-kp-cmcRA      OBJECT IDENTIFIER ::= { id-kp 28 }
  id-kp-cmcArchive OBJECT IDENTIFIER ::= { id-kp 29 }]]></sourcecode>

        <t>The usage description for each of the EKUs is as follows:</t>
        <ul spacing="normal">
          <li>
            <t>CMC CAs are identified by the <tt>id-kp-cmcCA</tt>
            EKU.  The certificate may be the same as or
            different than the CA certificate.  If a different certificate is
            used, the certificates containing the <tt>id-kp-cmcCA</tt> EKU <bcp14>SHOULD</bcp14> have the same name as the certificate
            used for issuing the certificates.
	   (Using a separate key pair for
            CMC protocol operations and for issuing certificates and CRLs
            decreases the number of operations for which the private key used
            to sign certificates and CRLs would be used.)</t>
          </li>
          <li>
            <t>CMC Registration Authorities are identified by the <tt>id-kp-cmcRA</tt>
            EKU.  This usage is placed into RA
            certificates.</t>
          </li>
          <li>
            <t>CMC Archive Servers are identified by the <tt>id-kp-cmcArchive</tt>
            EKU.  CMC Archive Servers and the associated
            protocol are to be defined in a future document.</t>
          </li>
        </ul>

      </section>
      <section anchor="SubjectInformationAccess">
        <name>Subject Information Access</name>
        <t>The Subject Information Access extension indicates how to access
information and services for the subject of the certificate.  This document
defines a value for use in this extension, to identify the
different locations that CMC services will be available.  If this
value is placed in a certificate, an appropriate EKU defined in <xref target="ExtendedKeyUsage"/> <bcp14>MUST</bcp14> be included in the certificate as well.</t>
        <t>The <tt>id-ad-cmc</tt> OID is used when the subject offers certification
services using the CMC protocol.  If the CMC services are available
via HTTP or FTP (see <xref section="2" sectionFormat="of" target="RFC10003"/> and <xref section="4" sectionFormat="of" target="RFC10003"/>), <tt>accessLocation</tt> <bcp14>MUST</bcp14> be a <tt>uniformResourceIdentifier</tt>.
If the CMC services are available via electronic mail
(see <xref section="3" sectionFormat="of" target="RFC10003"/>), <tt>accessLocation</tt>
<bcp14>MUST</bcp14> be an <tt>rfc822Name</tt>.  If CMC services are available using TCP/IP
(see <xref section="5" sectionFormat="of" target="RFC10003"/>),
the <tt>dNSName</tt> or <tt>iPAddress</tt> name forms <bcp14>MUST</bcp14> be used.  Since the
<tt>GeneralName</tt> data structure does not permit the inclusion of a port
number, in the absence of other external configuration information,
the value of <tt>5318</tt> should be used.  (The port registration is in
<xref target="RFC10003" sectionFormat="of" section="7"/>.)  The semantics of other name forms of <tt>accessLocation</tt>
(when <tt>accessMethod</tt> is <tt>id-ad-cmc</tt>) are not defined by this
specification.</t>
        <t>The ASN.1 type for this extension is <tt>GeneralName</tt> (see <xref section="4.2.1.8" sectionFormat="of" target="RFC5280"/>).</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-ad-cmc OBJECT IDENTIFIER ::= { id-ad 12 }]]></sourcecode>

      </section>
    </section>
    <section anchor="SecurityConsiderations">
      <name>Security Considerations</name>
      <t>Mechanisms for thwarting replay attacks may be required in particular
implementations of this protocol depending on the operational
environment. In cases where the CA maintains significant state
information, replay attacks may be detectable without the inclusion
of the optional nonce mechanisms. Implementers of this protocol need
to carefully consider environmental conditions before choosing
whether or not to implement the Sender Nonce and Recipient Nonce
controls described in <xref target="TransactionIdentifierControlandSenderandRecipientNonceControls"/>.  Developers of state-constrained
PKI clients are strongly encouraged to incorporate the use of these
controls.</t>
      <t>Extreme care needs to be taken when archiving a signing key. The
holder of the archived key may have the ability to use the key to
generate forged signatures. There are however reasons why a signing
key should be archived. An archived CA signing key can be recovered
in the event of failure to continue to produce CRLs following a
disaster.</t>
      <t>Due care must be taken prior to archiving keys. Once a key is given
to an archiving entity, the archiving entity could use the keys in a
way not conducive to the archiving entity. Users should be made
especially aware that proper verification is made of the certificate
used to encrypt the private key material.</t>
      <t>Clients and servers need to do some checks on cryptographic
parameters prior to issuing certificates to make sure that weak
parameters are not used. A description of the small subgroup attack
is provided in <xref target="RFC2631"/>. Methods of avoiding the small subgroup attack
can be found in <xref target="RFC2785"/>. CMC implementations ought to be aware
of this attack when doing parameter validations.</t>
      <t>When using a shared-secret for authentication purposes, the shared-secret should be generated using good random number techniques
<xref target="RFC4086"/>. User selection of the secret allows for dictionary attacks
to be mounted.</t>
      <t>Extreme care must be used when processing the Publish Trust Anchors
control. Incorrect processing can lead to the practice of slamming
where an attacker changes the set of trusted anchors in order to
weaken security.</t>
      <t>One method of controlling the use of the Publish Trust Anchors
control is as follows. The client needs to associate with each trust
anchor accepted by the client the source of the trust anchor.
Additionally, the client should associate with each trust anchor the
types of messages for which the trust anchor is valid (i.e., is the
trust anchor used for validating S/MIME messages, TLS, or CMC
enrollment messages?).</t>
      <t>When a new message is received with a Publish Trust Anchors control,
the client would accept the set of new trust anchors for specific
applications only if the signature validates, the signer of the
message has the required policy approval for updating the trust
anchors, and local policy also would allow updating the trust
anchors.</t>
      <t>The CMS <tt>AuthenticatedData</tt> structure provides message integrity; it
does not provide message authentication in all cases. When using
MACs, in this document, the following restrictions need to be observed.
All messages should be for a single entity. If two entities are
placed in a single message, the entities can generate new messages
that have a valid MAC and might be assumed to be from the original
message sender. All entities that have access to the shared-secret
can generate messages that will have a successful MAC validation.
This means that care must be taken to keep this value secret.
Whenever possible, the <tt>SignedData</tt> structure should be used in
preference to the <tt>AuthenticatedData</tt> structure.</t>
      <t>A number of controls, such as the RA Identity Proof Witness control,
exist for an RA to either make assertions about or modify a
certification request.  Any upstream request processor, such as a CA,
<bcp14>MUST</bcp14> verify that the RA is fully identified and authorized to make
the assertion or modification it is claiming.  If it is not
identified or authorized, then any request <bcp14>MUST</bcp14> be rejected.</t>
      <t>CMC servers, both RAs and CAs, need to perform due diligence in
checking the contents of a certification request.  At an absolute
minimum, all fields should be checked to ensure that the policies of
the CA/RA are correctly enforced.  While all fields need to be
checked, special care should be taken with names, name forms,
algorithm choices, and algorithm parameters.</t>
      <t>The vulnerability noted in <xref target="Str23"/> is mitigated in Full PKI Requests
and Responses because signed attributes are always present and <tt>id-data</tt>
is always used with a media type. The vulnerability noted in <xref target="Str23"/>
is not applicable to Simple PKI Requests or Responses because there
is no content encryption applied.</t>
    </section>
    <section anchor="IANAConsiderations">
      <name>IANA Considerations</name>
      <t>This document defines a number of CMC-related control objects, ASN.1
modules, extended key purposes, and content types.  All are identified by
OIDs.  The OIDs are defined from an arc delegated
by IANA to the PKIX Working Group with the notable exception of one
S/MIME attribute. All registrations follow.</t>
      <t>For the ASN.1 modules in <xref target="asn.1-modules"/>, IANA has assigned
an OID for the module identifier 124 with a Description of
"id-mod-enrollMsgSyntax-2025" in <xref target="asn.1-cmc"/> and an OID for the module
identifier 125 with a Description of "id-mod-pbkdf2-prfs-2025" in <xref target="asn.1-pbkdf2"/>.
The OIDs for the modules should be allocated in the "SMI Security
for PKIX Module Identifier" registry <xref target="PKIX-MODIDS"/>.</t>
      <t>IANA has replaced the references for the following S/MIME
attributes found in the "SMI Security for S/MIME Attributes" registry
<xref target="SMIME-ATTRS"/> with a pointer to this document:</t>
      <ul spacing="normal">
        <li>
          <t><tt>id-aa-cmc-unsignedData</tt></t>
        </li>
      </ul>
      <t>IANA has replaced the references for the following key
purposes found in the "SMI Security for PKIX Extended Key Purpose"
registry <xref target="PKIX-EKPS"/> with a pointer to this document:</t>
      <ul spacing="normal">
        <li>
          <t><tt>id-kp-cmcCA</tt></t>
        </li>
        <li>
          <t><tt>id-kp-cmcRA</tt></t>
        </li>
        <li>
          <t><tt>id-kp-cmcArchive</tt></t>
        </li>
      </ul>
      <t>IANA has replaced the references for the following signature
algorithm found in the "SMI Security for PKIX Algorithms" registry
<xref target="IANA-PKIX-ALGS"/> with a pointer to this document:</t>
      <ul spacing="normal">
        <li>
          <t><tt>id-alg-noSignature</tt></t>
        </li>
      </ul>
      <t>IANA has replaced the references for the following CMC
controls found in the "SMI Security for PKIX CMC Controls" registry
<xref target="CMC-CTRLS"/> with a pointer to this document:</t>
      <ul spacing="normal">
        <li>
          <t><tt>id-cmc-statusInfo</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-identification</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-identityProof</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-dataReturn</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-transactionId</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-senderNonce</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-recipientNonce</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-addExtensions</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-encryptedPOP</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-decryptedPOP</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-lraPOPWitness</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-getCert</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-getCRL</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-revokeRequest</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-regInfo</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-responseInfo</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-queryPending</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-popLinkRandom</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-popLinkWitness</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-confirmCertAcceptance</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-statusInfoV2</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-trustedAnchors</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-authData</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-batchRequests</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-batchResponses</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-publishCert</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-modCertTemplate</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-controlProcessed</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-popLinkWitnessV2</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-identityProofV2</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-raIdentityWitness</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-changeSubjectName</tt></t>
        </li>
        <li>
          <t><tt>id-cmc-responseBody</tt></t>
        </li>
      </ul>
      <t>IANA has replaced the references for the following CMC
content types found in the "SMI Security for PKIX CMC Content Types"
registry <xref target="CMC-CTS"/> with a pointer to this document:</t>
      <ul spacing="normal">
        <li>
          <t><tt>id-cct-PKIData</tt></t>
        </li>
        <li>
          <t><tt>id-cct-PKIResponse</tt></t>
        </li>
      </ul>
      <t>IANA has replaced the references for the following PKIX
access descriptor found in the "SMI Security for PKIX Access
Descriptor" registry <xref target="PKIX-ADS"/> with a pointer to this document:</t>
      <ul spacing="normal">
        <li>
          <t><tt>id-ad-cmc</tt></t>
        </li>
      </ul>

      <t>IANA is to note that the references for the following module OIDs
in the "SMI Security for PKIX Module Identifier" registry
<xref target="PKIX-MODIDS"/> are to remain unchanged as these modules remain
unchanged by this specification:</t>
      <ul spacing="normal">
        <li>
          <t><tt>id-mod-cmc</tt></t>
        </li>
        <li>
          <t><tt>id-mod-cmc2002</tt></t>
        </li>
        <li>
          <t><tt>id-mod-enrollMsgSyntax-2011-88</tt></t>
        </li>
        <li>
          <t><tt>id-mod-enrollMsgSyntax-2011-08</tt></t>
        </li>
      </ul>
      <t>Likewise, the <tt>id-cmc-glaRR</tt> entry in the "SMI Security for PKIX CMC
Controls" registry and all entries in the "SMI Security for PKIX CMC
Controls" and "SMI Security for PKIX CMC GLA Requests and Responses"
registries are to remain unchanged.</t>
    </section>
  </middle>
  <back>
    <displayreference target="RFC5911" to="CMS-ALGS"/>
    <displayreference target="RFC6268" to="HMAC-ALGS"/>
    <displayreference target="RFC5912" to="ADD-ASN1"/>

    <displayreference target="RFC5652" to="CMS"/>
    <displayreference target="RFC5083" to="CMS-AE"/>
    <displayreference target="RFC4211" to="CRMF"/>
    <displayreference target="RFC2986" to="PKCS10"/>
    <displayreference target="RFC6955" to="DH-POP"/>
    <displayreference target="RFC10003" to="CMC-TRANS"/>
    <displayreference target="RFC2785" to="SMALL-GROUP"/>
    <displayreference target="RFC5280" to="PKIXCERT"/>
    <displayreference target="RFC2631" to="X942"/>
    <displayreference target="RFC10004" to="CMC-COMPL"/>
    <displayreference target="RFC4086" to="RANDOM"/>
    <displayreference target="RFC5272" to="CMC-PROTv1"/>
    <displayreference target="RFC9629" to="CMS-KEM"/>
    <displayreference target="RFC6402" to="CMC-Updates"/>

    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5652.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5083.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5911.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4211.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6955.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6268.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2986.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5912.xml"/>
        <reference anchor="ASN.1" target="https://www.itu.int/rec/T-REC-X.680">
          <front>
            <title>Information technology -- Abstract Syntax Notation One (ASN.1): Specification of basic notation</title>
            <author>
              <organization>ITU-T</organization>
            </author>
            <date year="2021" month="February"/>
          </front>
          <seriesInfo name="ITU-T Recommendation" value="X.680"/>
          <seriesInfo name="ISO/IEC" value="8824-1:2021"/>
        </reference>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5272.xml"/>

        <reference anchor="RFC10003" target="https://www.rfc-editor.org/info/rfc10003">
          <front>
            <title>Certificate Management over CMS (CMC): Transport Protocols</title>
            <author fullname="Joe Mandel" initials="J." surname="Mandel" role="editor">
              <organization>AKAYLA, Inc.</organization>
            </author>
            <author fullname="Sean Turner" initials="S." surname="Turner" role="editor">
              <organization>sn3rd</organization>
            </author>
            <date month="July" year="2026"/>
          </front>
  <seriesInfo name="RFC" value="10003"/>
  <seriesInfo name="DOI" value="10.17487/RFC10003"/>
        </reference>
-->
        <reference anchor="RFC10004" target="https://www.rfc-editor.org/info/rfc10004">
          <front>
            <title>Certificate Management over CMS (CMC): Compliance Requirements</title>
            <author fullname="Joe Mandel" initials="J." surname="Mandel" role="editor">
              <organization>AKAYLA, Inc.</organization>
            </author>
            <author fullname="Sean Turner" initials="S." surname="Turner" role="editor">
              <organization>sn3rd</organization>
            </author>
            <date month="July" year="2026"/>
          </front>
  <seriesInfo name="RFC" value="10004"/>
  <seriesInfo name="DOI" value="10.17487/RFC10004"/>
        </reference>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6402.xml"/>

        <reference anchor="PASSWORD">
          <front>
            <title>Digital Identity Guidelines</title>
            <author fullname="David Temoshok" initials="D." surname="Temoshok">
              <organization/>
            </author>
            <author fullname="Diana Proud-Madruga" initials="D." surname="Proud-Madruga">
              <organization/>
            </author>
            <author fullname="Yee-Yin Choong" initials="Y." surname="Choong">
              <organization/>
            </author>
            <author fullname="Ryan Galluzzo" initials="R." surname="Galluzzo">
              <organization/>
            </author>
            <author fullname="Sarbari Gupta" initials="S." surname="Gupta">
              <organization/>
            </author>
            <author fullname="Connie LaSalle" initials="C." surname="LaSalle">
              <organization/>
            </author>
            <author fullname="Naomi Lefkovitz" initials="N." surname="Lefkovitz">
              <organization/>
            </author>
            <author fullname="Andrew Regenscheid" initials="A." surname="Regenscheid">
              <organization/>
            </author>
            <date month="June" year="2025"/>
          </front>
          <seriesInfo name="NIST SP" value="800-63-4"/>
          <seriesInfo name="DOI" value="10.6028/nist.sp.800-63-4"/>
          <refcontent>National Institute of Standards and Technology</refcontent>
        </reference>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4086.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2785.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2631.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2797.xml"/>
        <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9629.xml"/>
        <reference anchor="PKIX-MODIDS" target="https://www.iana.org/assignments/smi-numbers/">
          <front>
            <title>SMI Security for PKIX Module Identifier</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="SMIME-ATTRS" target="https://www.iana.org/assignments/smi-numbers/">
          <front>
            <title>SMI Security for S/MIME Attributes (1.2.840.113549.1.9.16.2)</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="PKIX-EKPS" target="https://www.iana.org/assignments/smi-numbers/">
          <front>
            <title>SMI Security for PKIX Extended Key Purpose</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="IANA-PKIX-ALGS" target="https://www.iana.org/assignments/smi-numbers/">
          <front>
            <title>SMI Security for PKIX Algorithms</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="CMC-CTRLS" target="https://www.iana.org/assignments/smi-numbers/">
          <front>
            <title>SMI Security for PKIX CMC Controls</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="CMC-CTS" target="https://www.iana.org/assignments/smi-numbers/">
          <front>
            <title>SMI Security for PKIX CMC Content Types</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="PKIX-ADS" target="https://www.iana.org/assignments/smi-numbers/">
          <front>
            <title>SMI Security for PKIX Access Descriptor</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="Str23" target="https://ia.cr/2023/1801">
          <front>
            <title>ForgedAttributes: An Existential Forgery Vulnerability of CMS Signatures</title>
            <author initials="F." surname="Strenzke">
              <organization/>
            </author>
            <date year="2023" month="November" day="22"/>
          </front>
          <format type="PDF" target="https://eprint.iacr.org/2023/1801.pdf"/>
          <refcontent>Cryptology ePrint Archive, Paper 2023/1801</refcontent>
        </reference>
        <reference anchor="Err2063" quoteTitle="false" target="https://www.rfc-editor.org/errata/eid2063">
          <front>
            <title>RFC Errata, Erratum 2063, RFC 5272</title>
            <author>
              <organization/>
            </author>
          </front>
        </reference>
        <reference anchor="Err7627" quoteTitle="false" target="https://www.rfc-editor.org/errata/eid7627">
          <front>
            <title>RFC Errata, Erratum 7627, RFC 5272</title>
            <author>
              <organization/>
            </author>
          </front>
        </reference>
        <reference anchor="Err2731" quoteTitle="false" target="https://www.rfc-editor.org/errata/eid2731">
          <front>
            <title>RFC Errata, Erratum 2731, RFC 5272</title>
            <author>
              <organization/>
            </author>
          </front>
        </reference>
        <reference anchor="Err4775" quoteTitle="false" target="https://www.rfc-editor.org/errata/eid4775">
          <front>
            <title>RFC Errata, Erratum 4775, RFC 5272</title>
            <author>
              <organization/>
            </author>
          </front>
        </reference>
        <reference anchor="Err7379" quoteTitle="false" target="https://www.rfc-editor.org/errata/eid7379">
          <front>
            <title>RFC Errata, Erratum 7379, RFC 5272</title>
            <author>
              <organization/>
            </author>
          </front>
        </reference>
        <reference anchor="Err7628" quoteTitle="false" target="https://www.rfc-editor.org/errata/eid7628">
          <front>
            <title>RFC Errata, Erratum 7628, RFC 5272</title>
            <author>
              <organization/>
            </author>
          </front>
        </reference>
        <reference anchor="Err7629" quoteTitle="false" target="https://www.rfc-editor.org/errata/eid7629">
          <front>
            <title>RFC Errata, Erratum 7629, RFC 5272</title>
            <author>
              <organization/>
            </author>
          </front>
        </reference>
        <reference anchor="Err3943" quoteTitle="false" target="https://www.rfc-editor.org/errata/eid3943">
          <front>
            <title>RFC Errata, Erratum 3943, RFC 6402</title>
            <author>
              <organization/>
            </author>
          </front>
        </reference>
        <reference anchor="Err8027" quoteTitle="false" target="https://www.rfc-editor.org/errata/eid8027">
          <front>
            <title>RFC Errata, Erratum 8027, RFC 5272</title>
            <author>
              <organization/>
            </author>
          </front>
        </reference>
        <reference anchor="Err8137" quoteTitle="false" target="https://www.rfc-editor.org/errata/eid8137">
          <front>
            <title>RFC Errata, Erratum 8137, RFC 5272</title>
            <author>
              <organization/>
            </author>
          </front>
        </reference>
        <reference anchor="Err8385" quoteTitle="false" target="https://www.rfc-editor.org/errata/eid8385">
          <front>
            <title>RFC Errata, Erratum 8385, RFC 6402</title>
            <author>
              <organization/>
            </author>
          </front>
        </reference>
        <reference anchor="Err6571" quoteTitle="false" target="https://www.rfc-editor.org/errata/eid6571">
          <front>
            <title>RFC Errata, Erratum 6571, RFC 6402</title>
            <author>
              <organization/>
            </author>
          </front>
        </reference>
        <reference anchor="Err5931" quoteTitle="false" target="https://www.rfc-editor.org/errata/eid5931">
          <front>
            <title>RFC Errata, Erratum 5931, RFC 6402</title>
            <author>
              <organization/>
            </author>
          </front>
        </reference>
      </references>
    </references>

    <section anchor="asn.1-modules">
      <name>ASN.1 Modules</name>
      <section anchor="asn.1-cmc">
        <name>ASN.1 Module for CMC</name>
        <sourcecode markers="true" type="asn.1"><![CDATA[
EnrollmentMessageSyntax-2025
    { iso(1) identified-organization(3) dod(6) internet(1)
    security(5) mechanisms(5) pkix(7) id-mod(0)
    id-mod-enrollMsgSyntax-2025(124) }

DEFINITIONS IMPLICIT TAGS ::=

BEGIN

  EXPORTS ALL;

  IMPORTS

  AttributeSet{}, Extension{}, EXTENSION, ATTRIBUTE
  FROM PKIX-CommonTypes-2009
      { iso(1) identified-organization(3) dod(6) internet(1)
        security(5) mechanisms(5) pkix(7) id-mod(0)
        id-mod-pkixCommon-02(57) }

  AlgorithmIdentifier{}, DIGEST-ALGORITHM, KEY-WRAP, KEY-DERIVATION,
      MAC-ALGORITHM, SIGNATURE-ALGORITHM, PUBLIC-KEY
  FROM AlgorithmInformation-2009
      { iso(1) identified-organization(3) dod(6) internet(1)
        security(5) mechanisms(5) pkix(7) id-mod(0)
        id-mod-algorithmInformation-02(58) }

  CertificateSerialNumber, GeneralName, CRLReason, ReasonFlags,
      CertExtensions, GeneralNames
  FROM PKIX1Implicit-2009
      { iso(1) identified-organization(3) dod(6) internet(1)
        security(5) mechanisms(5) pkix(7) id-mod(0)
        id-mod-pkix1-implicit-02(59) }

  Name, id-pkix, PublicKeyAlgorithms, SignatureAlgorithms, id-ad,
      id-kp
  FROM PKIX1Explicit-2009
      { iso(1) identified-organization(3) dod(6) internet(1)
        security(5) mechanisms(5) pkix(7) id-mod(0)
        id-mod-pkix1-explicit-02(51) }

  ContentInfo, IssuerAndSerialNumber, CONTENT-TYPE
  FROM CryptographicMessageSyntax-2010
    { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
      pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }

  CertReqMsg, PKIPublicationInfo, CertTemplate
  FROM PKIXCRMF-2009
      { iso(1) identified-organization(3) dod(6) internet(1)
        security(5) mechanisms(5) pkix(7) id-mod(0)
        id-mod-crmf2005-02(55) }

  mda-sha1
  FROM PKIXAlgs-2009
       { iso(1) identified-organization(3) dod(6) internet(1)
         security(5) mechanisms(5) pkix(7) id-mod(0)
         id-mod-pkix1-algorithms2008-02(56) }

  maca-hMAC-SHA1
  FROM CryptographicMessageSyntaxAlgorithms-2009
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
        pkcs-9(9) smime(16) modules(0) id-mod-cmsalg-2001-02(37) }

  mda-sha256
  FROM PKIX1-PSS-OAEP-Algorithms-2009
      { iso(1) identified-organization(3) dod(6) internet(1)
        security(5) mechanisms(5) pkix(7) id-mod(0)
        id-mod-pkix1-rsa-pkalgs-02(54) }

  maca-hMAC-SHA256
  FROM HMAC-2010
      { iso(1) identified-organization(3) dod(6) internet(1)
        security(5) mechanisms(5) pkix(7) mod(0) id-mod-hmac(74) }

  kda-PBKDF2
  FROM PBKDF2-PRFs-2025
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
        pkcs-9(9) smime(16) modules(0)
        id-mod-pbkdf2-prfs-2025(125) } ;

  --  CMS content types defined in this document

  CMC-ContentTypes CONTENT-TYPE ::= {
      ct-PKIData | ct-PKIResponse, ... }

  --  Signature Algorithms defined in this document

  SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-noSignature }

  --  CMS Unsigned Attributes

  CMC-UnsignedAtts ATTRIBUTE ::= { aa-cmc-unsignedData }

  id-cmc OBJECT IDENTIFIER ::= { id-pkix 7 }   -- CMC controls
  id-cct OBJECT IDENTIFIER ::= { id-pkix 12 }  -- CMC content types

  -- This is the content type for a request message in the protocol

  ct-PKIData CONTENT-TYPE ::=
      { TYPE PKIData IDENTIFIED BY id-cct-PKIData }

  id-cct-PKIData OBJECT IDENTIFIER ::= { id-cct 2 }

  PKIData ::= SEQUENCE {
      controlSequence    SEQUENCE SIZE (0..MAX) OF TaggedAttribute,
      reqSequence        SEQUENCE SIZE (0..MAX) OF TaggedRequest,
      cmsSequence        SEQUENCE SIZE (0..MAX) OF TaggedContentInfo,
      otherMsgSequence   SEQUENCE SIZE (0..MAX) OF OtherMsg
  }

  BodyPartID ::= INTEGER(0..4294967295)

  TaggedAttribute ::= SEQUENCE {
      bodyPartID         BodyPartID,
      attrType           CMC-CONTROL.&id({Cmc-Control-Set}),
      attrValues         SET OF CMC-CONTROL.
                             &Type({Cmc-Control-Set}{@attrType})
  }

  Cmc-Control-Set CMC-CONTROL ::= {
      cmc-identityProof | cmc-dataReturn | cmc-regInfo |
      cmc-responseInfo | cmc-queryPending | cmc-popLinkRandom |
      cmc-popLinkWitness | cmc-identification | cmc-transactionId |
      cmc-senderNonce | cmc-recipientNonce | cmc-statusInfo |
      cmc-addExtensions | cmc-encryptedPOP | cmc-decryptedPOP |
      cmc-lraPOPWitness | cmc-getCert | cmc-getCRL |
      cmc-revokeRequest | cmc-confirmCertAcceptance |
      cmc-statusInfoV2 | cmc-trustedAnchors | cmc-authData |
      cmc-batchRequests | cmc-batchResponses | cmc-publishCert |
      cmc-modCertTemplate | cmc-controlProcessed |
      cmc-identityProofV2 | cmc-popLinkWitnessV2 |
      cmc-raIdentityWitness | cmc-responseBody, ... }

  OTHER-REQUEST ::= TYPE-IDENTIFIER

  --  We do not define any other requests in this document.
  --  Examples might be attribute certification requests.

  OtherRequests OTHER-REQUEST ::= {...}

  TaggedRequest ::= CHOICE {
      tcr               [0] TaggedCertificationRequest,
      crm               [1] CertReqMsg,
      orm               [2] SEQUENCE {
          bodyPartID            BodyPartID,
          requestMessageType    OTHER-REQUEST.&id({OtherRequests}),
          requestMessageValue   OTHER-REQUEST.&Type({OtherRequests}
                                    {@.requestMessageType})
      }
  }

  TaggedCertificationRequest ::= SEQUENCE {
      bodyPartID            BodyPartID,
      certificationRequest  CertificationRequest
  }

  AttributeList ATTRIBUTE ::= {
      at-extension-req | at-cmc-changeSubjectName, ... }

  CertificationRequest ::= SEQUENCE {
      certificationRequestInfo  SEQUENCE {
          version                 INTEGER,
          subject                 Name,
          subjectPublicKeyInfo    SEQUENCE {
              algorithm               AlgorithmIdentifier{PUBLIC-KEY,
                                          {PublicKeyAlgorithms}},
              subjectPublicKey        BIT STRING
          },
          attributes                [0] IMPLICIT SET OF
                                        AttributeSet{{AttributeList}}
       },
       signatureAlgorithm        AlgorithmIdentifier
                                     {SIGNATURE-ALGORITHM,
                                         {SignatureAlgorithms}},
      signature                 BIT STRING
  }

  TaggedContentInfo ::= SEQUENCE {
      bodyPartID              BodyPartID,
      contentInfo             ContentInfo
  }

  OTHER-MSG ::= TYPE-IDENTIFIER

  --  No other messages currently defined

  OtherMsgSet OTHER-MSG ::= {...}

  OtherMsg ::= SEQUENCE {
      bodyPartID      BodyPartID,
      otherMsgType    OTHER-MSG.&id({OtherMsgSet}),
      otherMsgValue   OTHER-MSG.&Type({OtherMsgSet}{@otherMsgType}) }

  --  This defines the response message in the protocol

  ct-PKIResponse CONTENT-TYPE ::=
      { TYPE PKIResponse IDENTIFIED BY id-cct-PKIResponse }

  id-cct-PKIResponse OBJECT IDENTIFIER ::= { id-cct 3 }

  ResponseBody ::= PKIResponse

  PKIResponse ::= SEQUENCE {
      controlSequence   SEQUENCE SIZE (0..MAX) OF TaggedAttribute,
      cmsSequence       SEQUENCE SIZE (0..MAX) OF TaggedContentInfo,
      otherMsgSequence  SEQUENCE SIZE (0..MAX) OF OtherMsg
  }

  CMC-CONTROL ::= TYPE-IDENTIFIER

  -- The following controls have the type OCTET STRING

  cmc-identityProof CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-identityProof }

  id-cmc-identityProof OBJECT IDENTIFIER ::= { id-cmc 3 }

  cmc-dataReturn CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-dataReturn }

  id-cmc-dataReturn OBJECT IDENTIFIER ::= { id-cmc 4 }

  cmc-regInfo CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-regInfo }

  id-cmc-regInfo OBJECT IDENTIFIER ::= { id-cmc 18 }

  cmc-responseInfo CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-responseInfo }

  id-cmc-responseInfo OBJECT IDENTIFIER ::= { id-cmc 19 }

  cmc-queryPending CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-queryPending }

  id-cmc-queryPending OBJECT IDENTIFIER ::= { id-cmc 21 }

  cmc-popLinkRandom CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-popLinkRandom }

  id-cmc-popLinkRandom OBJECT IDENTIFIER ::= { id-cmc 22 }

  cmc-popLinkWitness CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-popLinkWitness }

  id-cmc-popLinkWitness OBJECT IDENTIFIER ::= { id-cmc 23 }

  -- The following controls have the type UTF8String

  cmc-identification CMC-CONTROL ::=
      { UTF8String IDENTIFIED BY id-cmc-identification }

  id-cmc-identification OBJECT IDENTIFIER ::= { id-cmc 2 }

  -- The following controls have the type INTEGER

  cmc-transactionId CMC-CONTROL ::=
      { INTEGER IDENTIFIED BY id-cmc-transactionId }

  id-cmc-transactionId OBJECT IDENTIFIER ::= { id-cmc 5 }

  -- The following controls have the type OCTET STRING

  cmc-senderNonce CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-senderNonce }

  id-cmc-senderNonce OBJECT IDENTIFIER ::= { id-cmc 6 }

  cmc-recipientNonce CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-recipientNonce }

  id-cmc-recipientNonce OBJECT IDENTIFIER ::= { id-cmc 7 }

  -- Used to return status in a response

  cmc-statusInfo CMC-CONTROL ::=
      { CMCStatusInfo IDENTIFIED BY id-cmc-statusInfo }

  id-cmc-statusInfo OBJECT IDENTIFIER ::= { id-cmc 1 }

  CMCStatusInfo ::= SEQUENCE {
      cMCStatus       CMCStatus,
      bodyList        SEQUENCE SIZE (1..MAX) OF BodyPartID,
      statusString    UTF8String OPTIONAL,
      otherInfo       CHOICE {
         failInfo         CMCFailInfo,
         pendInfo         PendInfo
      } OPTIONAL
  }

  PendInfo ::= SEQUENCE {
      pendToken        OCTET STRING,
      pendTime         GeneralizedTime
  }

  CMCStatus ::= INTEGER {
      success         (0),
      failed          (2),
      pending         (3),
      noSupport       (4),
      confirmRequired (5),
      popRequired     (6),
      partial         (7)
  }

  CMCFailInfo ::= INTEGER {
      badAlg          (0),
      badMessageCheck (1),
      badRequest      (2),
      badTime         (3),
      badCertId       (4),
      unsuportedExt   (5),
      mustArchiveKeys (6),
      badIdentity     (7),
      popRequired     (8),
      popFailed       (9),
      noKeyReuse      (10),
      internalCAError (11),
      tryLater        (12),
      authDataFail    (13)
  }

  -- Used for RAs to add extensions to certification requests

  cmc-addExtensions CMC-CONTROL ::=
      { AddExtensions IDENTIFIED BY id-cmc-addExtensions }

  id-cmc-addExtensions OBJECT IDENTIFIER ::= { id-cmc 8 }

  AddExtensions ::= SEQUENCE {
      pkiDataReference    BodyPartID,
      certReferences      SEQUENCE OF BodyPartID,
      extensions          SEQUENCE OF Extension{{CertExtensions}}
  }

  cmc-encryptedPOP CMC-CONTROL ::=
      { EncryptedPOP IDENTIFIED BY id-cmc-encryptedPOP }

  cmc-decryptedPOP CMC-CONTROL ::=
      { DecryptedPOP IDENTIFIED BY id-cmc-decryptedPOP }

  id-cmc-encryptedPOP OBJECT IDENTIFIER ::= { id-cmc 9 }

  id-cmc-decryptedPOP OBJECT IDENTIFIER ::= { id-cmc 10 }

  EncryptedPOP ::= SEQUENCE {
      request       TaggedRequest,
      cms             ContentInfo,
      thePOPAlgID     AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}},
      witnessAlgID    AlgorithmIdentifier{DIGEST-ALGORITHM,
                          {WitnessAlgs}},
      witness         OCTET STRING
  }

  POPAlgs MAC-ALGORITHM ::= {
      maca-hMAC-SHA1 | maca-hMAC-SHA256, ... }

  WitnessAlgs DIGEST-ALGORITHM ::= { mda-sha1 | mda-sha256, ... }

  DecryptedPOP ::= SEQUENCE {
      bodyPartID      BodyPartID,
      thePOPAlgID     AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}},
      thePOP          OCTET STRING
  }

  cmc-lraPOPWitness CMC-CONTROL ::=
      { LraPopWitness IDENTIFIED BY id-cmc-lraPOPWitness }

  id-cmc-lraPOPWitness OBJECT IDENTIFIER ::= { id-cmc 11 }

  LraPopWitness ::= SEQUENCE {
      pkiDataBodyid   BodyPartID,
      bodyIds         SEQUENCE OF BodyPartID
  }

  cmc-getCert CMC-CONTROL ::=
      { GetCert IDENTIFIED BY id-cmc-getCert }

  id-cmc-getCert OBJECT IDENTIFIER ::= { id-cmc 15 }

  GetCert ::= SEQUENCE {
      issuerName      GeneralName,
      serialNumber    INTEGER }

  cmc-getCRL CMC-CONTROL ::=
      { GetCRL IDENTIFIED BY id-cmc-getCRL }

  id-cmc-getCRL OBJECT IDENTIFIER ::= { id-cmc 16 }

  GetCRL ::= SEQUENCE {
      issuerName    Name,
      cRLName       GeneralName OPTIONAL,
      time          GeneralizedTime OPTIONAL,
      reasons       ReasonFlags OPTIONAL }

  cmc-revokeRequest CMC-CONTROL ::=
      { RevokeRequest IDENTIFIED BY id-cmc-revokeRequest }

  id-cmc-revokeRequest OBJECT IDENTIFIER ::= { id-cmc 17 }

  RevokeRequest ::= SEQUENCE {
      issuerName            Name,
      serialNumber          INTEGER,
      reason                CRLReason,
      invalidityDate        GeneralizedTime OPTIONAL,
      passphrase            OCTET STRING OPTIONAL,
      comment               UTF8String OPTIONAL }

  cmc-confirmCertAcceptance CMC-CONTROL ::=
      { CMCCertId IDENTIFIED BY id-cmc-confirmCertAcceptance }

  id-cmc-confirmCertAcceptance OBJECT IDENTIFIER ::= { id-cmc 24 }

  CMCCertId ::= IssuerAndSerialNumber

  -- The following is used to request V3 extensions be added
  -- to a certificate

  at-extension-req ATTRIBUTE ::= {
      TYPE ExtensionReq IDENTIFIED BY id-ExtensionReq }

  id-ExtensionReq OBJECT IDENTIFIER ::= { iso(1) member-body(2)
      us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 14 }

  ExtensionReq ::= SEQUENCE SIZE (1..MAX) OF
      Extension{{CertExtensions}}

  -- The following allows Diffie-Hellman Certification Request
  -- Messages to be well-formed

  sa-noSignature SIGNATURE-ALGORITHM ::= {
      IDENTIFIER id-alg-noSignature
      VALUE NoSignatureValue
      PARAMS TYPE NULL ARE required
      HASHES { mda-sha1 }
  }

  id-alg-noSignature OBJECT IDENTIFIER ::= { id-pkix id-alg(6) 2 }

  NoSignatureValue ::= OCTET STRING

  --  Unauthenticated attribute to carry removable data.

  id-aa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
      rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) }

  aa-cmc-unsignedData ATTRIBUTE ::= {
      TYPE CMCUnsignedData IDENTIFIED BY id-aa-cmc-unsignedData }

  id-aa-cmc-unsignedData OBJECT IDENTIFIER ::= { id-aa 34 }

  CMCUnsignedData ::= SEQUENCE {
      bodyPartPath        BodyPartPath,
      identifier          TYPE-IDENTIFIER.&id,
      content             TYPE-IDENTIFIER.&Type
  }

  --  Replaces CMC Status Info
  --

  cmc-statusInfoV2 CMC-CONTROL ::=
      { CMCStatusInfoV2 IDENTIFIED BY id-cmc-statusInfoV2 }

  id-cmc-statusInfoV2 OBJECT IDENTIFIER ::= { id-cmc 25 }

  EXTENDED-FAILURE-INFO ::= TYPE-IDENTIFIER

  ExtendedFailures EXTENDED-FAILURE-INFO ::= {...}

  CMCStatusInfoV2 ::= SEQUENCE {
     cMCStatus             CMCStatus,
     bodyList              SEQUENCE SIZE (1..MAX) OF
                                    BodyPartReference,
     statusString          UTF8String OPTIONAL,
     otherInfo             CHOICE {
         failInfo               CMCFailInfo,
         pendInfo               PendInfo,
         extendedFailInfo       [1] SEQUENCE {
            failInfoOID            TYPE-IDENTIFIER.&id
                                       ({ExtendedFailures}),
            failInfoValue          TYPE-IDENTIFIER.&Type
                                       ({ExtendedFailures}
                                           {@.failInfoOID})
         }
      } OPTIONAL
  }

  BodyPartReference ::= CHOICE {
     bodyPartID           BodyPartID,
     bodyPartPath         BodyPartPath
  }

  BodyPartPath ::= SEQUENCE SIZE (1..MAX) OF BodyPartID

  --  Allow for distribution of trust anchors

  cmc-trustedAnchors CMC-CONTROL ::=
      { PublishTrustAnchors IDENTIFIED BY id-cmc-trustedAnchors }

  id-cmc-trustedAnchors OBJECT IDENTIFIER ::= { id-cmc 26 }

  PublishTrustAnchors ::= SEQUENCE {
      seqNumber      INTEGER,
      hashAlgorithm  AlgorithmIdentifier{DIGEST-ALGORITHM,
                         {HashAlgorithms}},
      anchorHashes   SEQUENCE OF OCTET STRING
  }

  HashAlgorithms DIGEST-ALGORITHM ::= {
     mda-sha1 | mda-sha256, ...
  }

  cmc-authData CMC-CONTROL ::=
      { AuthPublish IDENTIFIED BY id-cmc-authData }

  id-cmc-authData OBJECT IDENTIFIER ::= { id-cmc 27 }

  AuthPublish ::= BodyPartID

  --   These two items use BodyPartList

  cmc-batchRequests CMC-CONTROL ::=
      { BodyPartList IDENTIFIED BY id-cmc-batchRequests }

  id-cmc-batchRequests OBJECT IDENTIFIER ::= { id-cmc 28 }

  cmc-batchResponses CMC-CONTROL ::=
      { BodyPartList IDENTIFIED BY id-cmc-batchResponses }

  id-cmc-batchResponses OBJECT IDENTIFIER ::= { id-cmc 29 }

  BodyPartList ::= SEQUENCE SIZE (1..MAX) OF BodyPartID

  cmc-publishCert CMC-CONTROL ::=
      { CMCPublicationInfo IDENTIFIED BY id-cmc-publishCert }

  id-cmc-publishCert OBJECT IDENTIFIER ::= { id-cmc 30 }

  CMCPublicationInfo ::= SEQUENCE {
      hashAlg        AlgorithmIdentifier{DIGEST-ALGORITHM,
                           {HashAlgorithms}},
      certHashes     SEQUENCE OF OCTET STRING,
      pubInfo        PKIPublicationInfo
  }

  cmc-modCertTemplate CMC-CONTROL ::=
      { ModCertTemplate IDENTIFIED BY id-cmc-modCertTemplate }

  id-cmc-modCertTemplate OBJECT IDENTIFIER ::= { id-cmc 31 }

  ModCertTemplate ::= SEQUENCE {
      pkiDataReference             BodyPartPath,
      certReferences               BodyPartList,
      replace                      BOOLEAN DEFAULT TRUE,
      certTemplate                 CertTemplate
  }

  -- Inform follow-on servers that one or more controls have
  -- already been processed

  cmc-controlProcessed CMC-CONTROL ::=
      { ControlsProcessed IDENTIFIED BY id-cmc-controlProcessed }

  id-cmc-controlProcessed OBJECT IDENTIFIER ::= { id-cmc 32 }

  ControlsProcessed ::= SEQUENCE {
      bodyList            SEQUENCE SIZE (1..MAX) OF BodyPartReference
  }

  --  Identity Proof control w/ algorithm agility

  cmc-identityProofV2 CMC-CONTROL ::=
      { IdentityProofV2 IDENTIFIED BY id-cmc-identityProofV2 }

  id-cmc-identityProofV2 OBJECT IDENTIFIER ::= { id-cmc 34 }

  IdentityProofV2 ::= SEQUENCE {
      proofAlgID      AlgorithmIdentifier{DIGEST-ALGORITHM,
                          {WitnessAlgs}},
      macAlgId        AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}},
      witness         OCTET STRING
  }

  cmc-popLinkWitnessV2 CMC-CONTROL ::=
      { PopLinkWitnessV2 IDENTIFIED BY id-cmc-popLinkWitnessV2 }

  id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 33 }

  PopLinkWitnessV2 ::= SEQUENCE {
      keyGenAlgorithm  AlgorithmIdentifier{KEY-DERIVATION,
                           {KeyDevAlgs}},
      macAlgorithm     AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}},
      witness          OCTET STRING
  }

  KeyDevAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... }

  cmc-raIdentityWitness CMC-CONTROL ::=
     { BodyPartPath IDENTIFIED BY id-cmc-raIdentityWitness }

  id-cmc-raIdentityWitness OBJECT IDENTIFIER ::= {id-cmc 35}

  --
  --  Allow for an End-Entity to request a change in name.
  --  This item is added to RegControlSet in CRMF.
  --
  at-cmc-changeSubjectName ATTRIBUTE ::= {
      TYPE ChangeSubjectName IDENTIFIED BY id-cmc-changeSubjectName }

  id-cmc-changeSubjectName OBJECT IDENTIFIER ::= { id-cmc 36 }

  ChangeSubjectName ::= SEQUENCE {
      subject             Name OPTIONAL,
      subjectAlt          [1] GeneralNames OPTIONAL
  }
  (WITH COMPONENTS {..., subject PRESENT} |
   WITH COMPONENTS {..., subjectAlt PRESENT} )

  --
  --  Embedded response from a third party for processing
  --

  cmc-responseBody CMC-CONTROL ::=
     { BodyPartPath IDENTIFIED BY id-cmc-responseBody }

  id-cmc-responseBody OBJECT IDENTIFIER ::= { id-cmc 37 }

  --
  --  Key purpose identifiers are in the Extended Key Usage extension
  --

  id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 }
  id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 }
  id-kp-cmcArchive OBJECT IDENTIFIER ::= { id-kp 29 }

  --
  --  Subject Information Access identifier
  --

  id-ad-cmc OBJECT IDENTIFIER ::= { id-ad 12 }

END]]></sourcecode>
      </section>
      <section anchor="asn.1-pbkdf2">
        <name>ASN.1 Module for PBKDF2 PRFs</name>
        <sourcecode markers="true" type="asn.1"><![CDATA[
PBKDF2-PRFs-2025
  { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
    pkcs-9(9) smime(16) modules(0) id-mod-pbkdf2-prfs-2025(125) }

DEFINITIONS IMPLICIT TAGS ::= BEGIN

  IMPORTS

  ALGORITHM, AlgorithmIdentifier{}, KEY-DERIVATION
  FROM AlgorithmInformation-2009 -- From [PKIX-ALGS]
      { iso(1) identified-organization(3) dod(6) internet(1)
        security(5) mechanisms(5) pkix(7) id-mod(0)
        id-mod-algorithmInformation-02(58) }

  hMAC-SHA1, alg-hMAC-SHA1, id-PBKDF2
  FROM CryptographicMessageSyntaxAlgorithms-2009 -- From [CMS-ALGS]
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
        pkcs-9(9) smime(16) modules(0) id-mod-cmsalg-2001-02(37) }

  id-hmacWithSHA224, id-hmacWithSHA256,
  id-hmacWithSHA384, id-hmacWithSHA512
  FROM HMAC-2010 -- From [HMAC-ALGS]
      { iso(1) identified-organization(3) dod(6) internet(1)
        security(5) mechanisms(5) pkix(7) mod(0) id-mod-hmac(74) } ;

  -- Base OID for algorithms --

  rsadsi OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
      rsadsi(113549) }

  digestAlgorithm OBJECT IDENTIFIER ::= { rsadsi 2 }

  id-hmacWithSHA512-224 OBJECT IDENTIFIER ::= { digestAlgorithm 12 }

  id-hmacWithSHA512-256 OBJECT IDENTIFIER ::= { digestAlgorithm 13 }

  -- PBKDF2-PRFs --

  PBKDF2-PRFs ALGORITHM ::= {
      alg-hMAC-SHA1 |
      alg-hMAC-SHA224 | alg-hMAC-SHA256 |
      alg-hMAC-SHA384 | alg-hMAC-SHA512 |
      alg-hMAC-SHA512-224 | alg-hMAC-SHA512-256, ... }

  PBKDF2-PRFsAlgorithmIdentifier ::=
      AlgorithmIdentifier{ ALGORITHM, {PBKDF2-PRFs} }

  alg-hMAC-SHA224 ALGORITHM ::= { IDENTIFIER
      id-hmacWithSHA224 PARAMS TYPE NULL ARE preferredAbsent }

  alg-hMAC-SHA256 ALGORITHM ::= { IDENTIFIER
      id-hmacWithSHA256 PARAMS TYPE NULL ARE preferredAbsent }

  alg-hMAC-SHA384 ALGORITHM ::= { IDENTIFIER
      id-hmacWithSHA384 PARAMS TYPE NULL ARE preferredAbsent }

  alg-hMAC-SHA512 ALGORITHM ::= { IDENTIFIER
      id-hmacWithSHA512 PARAMS TYPE NULL ARE preferredAbsent }

  alg-hMAC-SHA512-224 ALGORITHM ::= { IDENTIFIER
      id-hmacWithSHA512-224 PARAMS TYPE NULL ARE preferredAbsent }

  alg-hMAC-SHA512-256 ALGORITHM ::= { IDENTIFIER
      id-hmacWithSHA512-256 PARAMS TYPE NULL ARE preferredAbsent }

  -- PBKDF2-SaltSources --

  PBKDF2-SaltSources ALGORITHM ::= { ... }

  PBKDF2-SaltSourcesAlgorithmIdentifier ::=
      AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources} }

  -- PBKDF2-params --

  PBKDF2-params ::= SEQUENCE {
      salt CHOICE {
          specified OCTET STRING,
          otherSource PBKDF2-SaltSourcesAlgorithmIdentifier },
      iterationCount INTEGER (1..MAX),
      keyLength INTEGER (1..MAX) OPTIONAL,
      prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT defaultPBKDF2 }

  defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::=
      { algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL }

  -- Key Derivation Algorithms --

  KeyDerivationAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... }

  kda-PBKDF2 KEY-DERIVATION ::= {
      IDENTIFIER id-PBKDF2
      PARAMS TYPE PBKDF2-params ARE required
      -- No S/MIME caps defined
  }

END]]></sourcecode>

      </section>
    </section>
    <section anchor="enroll">
      <name>Enrollment Message Flows</name>
      <t>This section is informational.  The purpose of this section is to
present, in an abstracted version, the messages that would flow
between the client and server for several different common cases.</t>
      <section anchor="RequestofaSigningCertificate">
        <name>Request of a Signing Certificate</name>
        <t>This section looks at the messages that would flow in the event that
an enrollment is occurring for a signing-only key.  If the
certificate was designed for both signing and encryption, the only
difference would be the key usage extension in the certification
request.</t>
        <t>Message from client to server:</t>
        <sourcecode type="pseudocode"><![CDATA[
   ContentInfo.contentType = id-signedData
   ContentInfo.content
     SignedData.encapContentInfo
       eContentType = id-cct-PKIData
       eContent
         controlSequence
           {102, id-cmc-identityProof, computed value}
           {103, id-cmc-senderNonce, 10001}
         reqSequence
           crm
             certReq
               certReqId = 201
               certTemplate
                 subject = My Proposed DN
                 publicKey = My Public Key
                 extensions
                   {id-ce-subjectKeyIdentifier, 1000}
                   {id-ce-keyUsage, digitalSignature}
     SignedData.SignerInfos
       SignerInfo
         sid.subjectKeyIdentifier = 1000]]></sourcecode>

        <t>Response from server to client:</t>

        <sourcecode type="pseudocode"><![CDATA[
   ContentInfo.contentType = id-signedData
   ContentInfo.content
     SignedData.encapContentInfo
       eContentType = id-cct-PKIResponse
       eContent
         controlSequence
           {102, id-cmc-statusInfoV2, {success, 201}}
           {103, id-cmc-senderNonce, 10005}
           {104, id-cmc-recipientNonce, 10001}
     certificates
       Newly issued certificate
       Other certificates
     SignedData.SignerInfos
       Signed by CA]]></sourcecode>

      </section>
      <section anchor="SingleCertificationRequestModifiedbyRA">
        <name>Single Certification Request Modified by RA</name>
        <t>This section looks at the messages that would flow in the event that
an enrollment has one RA in the middle of the data flow.  That RA
will modify the certification request before passing it on to the CA.</t>
        <t>Message from client to RA:</t>
        <sourcecode type="pseudocode"><![CDATA[
   ContentInfo.contentType = id-signedData
   ContentInfo.content
     SignedData.encapContentInfo
       eContentType = id-cct-PKIData
       eContent
         controlSequence
           {102, id-cmc-identityProof, computed value}
           {103, id-cmc-senderNonce, 10001}
         reqSequence
           crm
             certReq
               certReqId = 201
               certTemplate
                 subject = My Proposed DN
                 publicKey = My Public Key
                 extensions
                   {id-ce-subjectKeyIdentifier, 1000}
                   {id-ce-keyUsage, digitalSignature}
     SignedData.SignerInfos
       SignerInfo
         sid.subjectKeyIdentifier = 1000]]></sourcecode>

        <t>Message from RA to CA:</t>

        <sourcecode type="pseudocode"><![CDATA[
   ContentInfo.contentType = id-signedData
   ContentInfo.content
     SignedData.encapContentInfo
       eContentType = id-cct-PKIData
       eContent
         controlSequence
           { 102, id-cmc-batchRequests, { 1, 2} }
           { 103, id-cmc-addExtensions,
             { {1, 201, {id-ce-certificatePolicies, anyPolicy}}
               {1, 201, {id-ce-subjectAltName, {extension data}}
               {2, XXX, {id-ce-subjectAltName, {extension data}}}
                     The Value XXX is not known here; it would
                     reference into the second client request,
                     which is not displayed above.
         cmsSequence
           { 1, <Message from client to RA #1> }
           { 2, <Message from client to RA #2> }
     SignedData.SignerInfos
       SignerInfo
         sid = RA key.]]></sourcecode>

        <t>Response from CA to RA:</t>

        <sourcecode type="pseudocode"><![CDATA[
   ContentInfo.contentType = id-signedData
   ContentInfo.content
     SignedData.encapContentInfo
       eContentType = id-cct-PKIResponse
       eContent
         controlSequence
           {102, id-cmc-batchResponses, {999, 998}}

           {103, id-cmc-statusInfoV2, {failed, 2, badIdentity}}
         cmsSequence
           { bodyPartID = 999
             contentInfo
               ContentInfo.contentType = id-signedData
               ContentInfo.content
                 SignedData.encapContentInfo
                   eContentType = id-cct-PKIResponse
                   eContent
                     controlSequence
                      {102, id-cmc-statusInfoV2, {success, 201}}
                 certificates
                   Newly issued certificate
                   Other certificates
                 SignedData.SignerInfos
                   Signed by CA
           }
           { bodyPartID = 998,
             contentInfo
               ContentInfo.contentType = id-signedData
               ContentInfo.content
                 SignedData.encapContentInfo
                   eContentType = id-cct-PKIResponse
                   eContent
                     controlSequence
                       {102, id-cmc-statusInfoV2, {failure, badAlg}}
                 certificates
                   Newly issued certificate
                   Other certificates
                 SignedData.SignerInfos
                   Signed by CA
           }
         SignedData.SignerInfos
           Signed by CA]]></sourcecode>

        <t>Response from RA to client:</t>

        <sourcecode type="pseudocode"><![CDATA[
   ContentInfo.contentType = id-signedData
   ContentInfo.content
     SignedData.encapContentInfo
       eContentType = id-cct-PKIResponse
       eContent
         controlSequence
           {102, id-cmc-statusInfoV2, {success, 201}}
     certificates
       Newly issued certificate
       Other certificates
     SignedData.SignerInfos
       Signed by CA]]></sourcecode>
      </section>
      <section anchor="DirectPOPforRSACertificate">
        <name>Direct POP for an RSA or KEM Certificate</name>

        <t>This section looks at the messages that would flow in the event that
an enrollment is done for an encryption-only certificate using a
direct POP method; an example message follows.  For simplicity, it is assumed that the
certification requester already has a signature certificate. This example uses
<tt>EnvelopedData</tt>; however, either <tt>EnvelopedData</tt> or <tt>AuthEnvelopedData</tt> can be used.</t>
        <t>Message #1 from client to server:</t>
        <sourcecode type="pseudocode"><![CDATA[
   ContentInfo.contentType = id-signedData
   ContentInfo.content
     SignedData.encapContentInfo
       eContentType = id-cct-PKIData
       eContent
         controlSequence
           {102, id-cmc-transactionId, 10132985123483401}
           {103, id-cmc-senderNonce, 10001}
           {104, id-cmc-dataReturn, <packet of binary data
                                     identifying where the key
                                     in question is.>}
         reqSequence
           crm
             certReq
               certReqId = 201
               certTemplate
                 subject = <My DN>
                 publicKey = My Public Key
                 extensions
                   {id-ce-keyUsage, keyEncipherment}
                   {id-ce-subjectPublicKeyIdentifier, 1000}
             popo
               keyEncipherment
                 subsequentMessage = challengeResp
     SignedData.SignerInfos
       SignerInfo
         Signed by requester's signing cert]]></sourcecode>

        <t>Response #1 from server to client:</t>

        <sourcecode type="pseudocode"><![CDATA[
   ContentInfo.contentType = id-signedData
   ContentInfo.content
     SignedData.encapContentInfo
       eContentType = id-cct-PKIResponse
       eContent
         controlSequence
           {101, id-cmc-statusInfoV2, {failed, 201, popRequired}}
           {102, id-cmc-transactionId, 10132985123483401}
           {103, id-cmc-senderNonce, 10005}
           {104, id-cmc-recipientNonce, 10001}
           {105, id-cmc-encryptedPOP, {
              request {
                crm
                  certReq
                    certReqId = 201
                     certTemplate
                       subject = <My DN>
                       publicKey = My Public Key
                       extensions
                         {id-ce-keyUsage, keyEncipherment}
                         {id-ce-subjectPublicKeyIdentifier, 1000}
                   popo
                     keyEncipherment
                       subsequentMessage = challengeResp
              }
              cms
                contentType = id-envelopedData
                content
                  recipientInfos.rid.issuerSerialNumber =
                    <NULL-DN, 201>
                  encryptedContentInfo
                    eContentType = id-data
                    eContent = <Encrypted value of 'y' from
                                Section 6.7>
              thePOPAlgID = HMAC-SHA256
              witnessAlgID = SHA-256
              witness <hashed value of 'y' from Section 6.7>}}
           {106, id-cmc-dataReturn, <packet of binary data
                                     identifying where the key
                                     in question is.>}
     certificates
       Other certificates
         (optional - related to this message's SignedData)
     SignedData.SignerInfos
       Signed by CA]]></sourcecode>

        <t>Message #2 from client to server:</t>

        <sourcecode type="pseudocode"><![CDATA[
   ContentInfo.contentType = id-signedData
   ContentInfo.content
     SignedData.encapContentInfo
       eContentType = id-cct-PKIData
       eContent
         controlSequence
           {102, id-cmc-transactionId, 10132985123483401}
           {103, id-cmc-senderNonce, 100101}
           {104, id-cmc-dataReturn, <packet of binary data
                                     identifying where the key
                                     in question is.>}
           {105, id-cmc-recipientNonce, 10005}
           {107, id-cmc-decryptedPOP, {
             bodyPartID 201,
             thePOPAlgID HMAC-SHA256,
             thePOP <HMAC computed value goes here>}}
         reqSequence
           crm
             certReq
               certReqId = 201
               certTemplate
                 subject = <My DN>
                 publicKey = My Public Key
                 extensions
                   {id-ce-keyUsage, keyEncipherment}
                   {id-ce-subjectKeyIdentifier, 1000}
             popo
               keyEncipherment
                 subsequentMessage = challengeResp
     SignedData.SignerInfos
       SignerInfo
         Signed by requester's signing cert]]></sourcecode>

        <t>Response #2 from server to client:</t>

        <sourcecode type="pseudocode"><![CDATA[
   ContentInfo.contentType = id-signedData
   ContentInfo.content
     SignedData.encapContentInfo
       eContentType = id-cct-PKIResponse
       eContent
         controlSequence
           {101, id-cmc-transactionId, 10132985123483401}
           {102, id-cmc-statusInfoV2, {success, 201}}
           {103, id-cmc-senderNonce, 10019}
           {104, id-cmc-recipientNonce, 100101}
           {105, id-cmc-dataReturn, <packet of binary data
                                     identifying where the key
                                     in question is.>}
     certificates
       Newly issued certificate
       Other certificates
         (optional - related to this message's SignedData)
     SignedData.SignerInfos
       Signed by CA]]></sourcecode>

      </section>
      <section anchor="DirectPOPwithNoSignature">
        <name>Direct POP with No Signature Mechanism</name>
        <t>This section looks at the messages that would flow in the event that
an enrollment is done for an encryption-only certificate using a
direct POP method.  Instead of assuming that the certification
requester already has a signing-only certificate (as in
<xref target="DirectPOPforRSACertificate"/>), here the No Signature mechanism is from
<xref target="NoSig-Sig"/>, the public key is for a KEM, and the <tt>EnvelopedData</tt> uses
the <tt>KEMRecipientInfo</tt> from <xref target="RFC9629"/>. This example uses
<tt>EnvelopedData</tt>; however, either <tt>EnvelopedData</tt> or <tt>AuthEnvelopedData</tt> can be used.</t>
        <t>Message #1 from client to server:</t>
        <sourcecode type="pseudocode"><![CDATA[
   ContentInfo.contentType = id-signedData
   ContentInfo.content
     SignedData.encapContentInfo
       eContentType = id-cct-PKIData
       eContent
         controlSequence
           {102, id-cmc-transactionId, 10132985123483401}
           {103, id-cmc-senderNonce, 10001}
           {104, id-cmc-dataReturn, <packet of binary data
                                     identifying where the key
                                     in question is.>}
         reqSequence
           crm
             certReq
               certReqId = 201
               certTemplate
                 subject = < My DN >
                 publicKey = My Public Key
                 extensions
                   {id-ce-subjectPublicKeyIdentifier, 1000}
                   {id-ce-keyUsage, keyEncipherment}
             popo
               keyEncipherment
                 subsequentMessage = challengeResp
     SignedData.SignerInfos
      SignerInfo
        sid = < subjectKeyIdentifier >
        signatureAlgorithm = id-alg-noSignature]]></sourcecode>

        <t>Response #1 from server to client:</t>

        <sourcecode type="pseudocode"><![CDATA[
   ContentInfo.contentType = id-signedData
   ContentInfo.content
     SignedData.encapContentInfo
       eContentType = id-cct-PKIResponse
       eContent
         controlSequence
           {101, id-cmc-statusInfoV2, {failed, 201, popRequired}}
           {102, id-cmc-transactionId, 10132985123483401}
           {103, id-cmc-senderNonce, 10005}
           {104, id-cmc-recipientNonce, 10001}
           {105, id-cmc-encryptedPOP, {
              request {
                crm
                  certReq
                    certReqId = 201
                     certTemplate
                       subject = < My DN >
                       publicKey = My Public Key
                       extensions
                         {id-ce-keyUsage, keyEncipherment}
                         {id-ce-subjectPublicKeyIdentifier, 1000}
                   popo
                     keyEncipherment
                       subsequentMessage = challengeResp
              }
              cms
                contentType = id-envelopedData
                content < uses ori.KEMRecipientInfo >
                  recipientInfos.ori.rid.issuerSerialNumber =
                    <NULL-DN, 201>
                  encryptedContentInfo
                    eContentType = id-data
                    eContent = <Encrypted value of 'y' from
                                Section 6.7>
              thePOPAlgID = KmacWithSHAKE128
              witnessAlgID = SHAKE128
              witness <hashed value of 'y' from Section 6.7>}}
           {106, id-cmc-dataReturn, <packet of binary data
                                     identifying where the key
                                     in question is.>}
     certificates
       Other certificates
         (optional - related to this message's SignedData)
     SignedData.SignerInfos
       Signed by CA]]></sourcecode>

        <t>Message #2 from client to server:</t>

        <sourcecode type="pseudocode"><![CDATA[
   ContentInfo.contentType = id-signedData
   ContentInfo.content
     SignedData.encapContentInfo
       eContentType = id-cct-PKIData
       eContent
         controlSequence
           {102, id-cmc-transactionId, 10132985123483401}
           {103, id-cmc-senderNonce, 100101}
           {104, id-cmc-dataReturn, <packet of binary data
                                     identifying where the key
                                     in question is.>}
           {105, id-cmc-recipientNonce, 10005}
           {107, id-cmc-decryptedPOP, {
             bodyPartID 201,
             thePOPAlgID KmacWithSHAKE128,
             thePOP <KMAC computed value goes here>}}
         reqSequence
           crm
             certReq
               certReqId = 201
               certTemplate
                 subject = < My DN >
                 publicKey = My Public Key
                 extensions
                   {id-ce-keyUsage, keyEncipherment}
                   {id-ce-subjectPublicKeyIdentifier, 1000}
             popo
               keyEncipherment
                 subsequentMessage = challengeResp
     SignedData.SignerInfos
       SignerInfo
         sid = < subjectKeyIdentifier >
         signatureAlgorithm = id-alg-noSignature]]></sourcecode>

        <t>Response #2 from server to client:</t>

        <sourcecode type="pseudocode"><![CDATA[
   ContentInfo.contentType = id-signedData
   ContentInfo.content
     SignedData.encapContentInfo
       eContentType = id-cct-PKIResponse
       eContent
         controlSequence
           {101, id-cmc-transactionId, 10132985123483401}
           {102, id-cmc-statusInfoV2, {success, 201}}
           {103, id-cmc-senderNonce, 10019}
           {104, id-cmc-recipientNonce, 100101}
           {105, id-cmc-dataReturn, <packet of binary data
                                     identifying where the key
                                     in question is.>}
     certificates
       Newly issued certificate
       Other certificates
     SignedData.SignerInfos
       Signed by CA]]></sourcecode>

      </section>
    </section>
    <section anchor="enroll-dh">
      <name>Production of Diffie-Hellman Public Key Certification Requests</name>
      <t>Part of a certification request is a signature over the request;
DH and ECDH are key agreement algorithms and the key encapsulation mechanisms (KEMs) RSA-KEM and ML-KEM (Module-Lattic-Based KEM) cannot be used to
directly produce the required signature object.  <xref target="RFC6955"/> provides
three ways to produce the necessary signature value.  This document
also defines a signature algorithm that does not provide a POP value
but that can be used to produce the necessary signature value.</t>
      <section anchor="NoSig-Sig">
        <name>No-Signature Signature Mechanism</name>
        <t>Key management (encryption/decryption) private keys cannot always be
used to produce some type of signature value as they can be in a
decrypt-only device.  Certification requests require that the
signature field be populated.  This section provides a signature
algorithm specifically for that purpose.  The following object
identifier and signature value are used to identify this signature
type:</t>
        <sourcecode type="asn.1" markers="false"><![CDATA[
  id-alg-noSignature OBJECT IDENTIFIER ::= { id-pkix id-alg(6) 2 }

  NoSignatureValue ::= OCTET STRING]]></sourcecode>

        <t>The parameters for <tt>id-alg-noSignature</tt> <bcp14>MUST</bcp14> be present and <bcp14>MUST</bcp14> be
encoded as <tt>NULL</tt>.  <tt>NoSignatureValue</tt> contains the SHA-1 hash of the
certification request.  The hash value given by <tt>NoSignatureValue</tt>
<bcp14>SHOULD</bcp14> be ignored.  It is important to realize that there is no
security associated with this signature type.  If this signature type
is on a certification request and the CA policy
requires proof-of-possession of the private key, the POP mechanism
defined in <xref target="EncryptedandDecryptedPOPControls"/> <bcp14>MUST</bcp14> be used.</t>
        <t>When the client generates the <tt>SignedData.SignerInfos.SignerInfo.sid</tt>
field, it has two choices: <tt>issuerAndSerialNumber</tt> or <tt>subjectKeyIdentifier</tt>.
The client does not yet have a certificate; therefore, it cannot fill in
the <tt>issuerAndSerialNumber</tt> and <bcp14>MUST</bcp14> use the <tt>subjectKeyIdentifier</tt>
choice.</t>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgements</name>
      <t>The authors would like to
thank <contact fullname="Jim Schaad"/> and <contact fullname="Michael Myers"/> for their work on RFC 5272.</t>
      <t>Thank you to <contact fullname="Charlie Kaufman"/>, <contact fullname="Orie Steele"/>, <contact fullname="Paul Wouters"/>, <contact fullname="Éric Vyncke"/>, <contact fullname="Mike Bishop"/>, <contact fullname="Reese Enghardt"/>, <contact fullname="Mohamed Boucadair"/>, <contact fullname="Russ Housley"/>, and <contact fullname="Deb Cooley"/> for reviewing the document and providing comments.</t>
      <t>The Acknowledgements section from RFC 5272 follows:</t>
      <blockquote><t>The authors and the PKIX Working Group are grateful for the
participation of <contact fullname="Xiaoyi Liu"/> and <contact fullname="Jeff Weinstein"/> in helping to author
the original versions of this document.</t>
      <t>The authors would like to thank <contact fullname="Brian LaMacchia"/> for his work in
developing and writing up many of the concepts presented in this
document.  The authors would also like to thank <contact fullname="Alex Deacon"/> and <contact fullname="Barb
Fox"/> for their contributions.</t></blockquote>
    </section>
    <section anchor="contributors" numbered="false" toc="include">
      <name>Contributors</name>
      <contact initials="J." surname="Schaad" fullname="Jim Schaad">
        <organization>August Cellars</organization>
        <address>
      </address>
      </contact>
      <contact initials="M." surname="Myers" fullname="Michael Myers">
        <organization>TraceRoute Security, Inc.</organization>
        <address>
      </address>
      </contact>
    </section>
  </back>
</rfc>
