Internet Draft Ambarish Malpani draft-ietf-pkix-scvp-03.txt ValiCert June 12, 2000 Paul Hoffman Expires in six months VPN Consortium Simple Certificate Validation Protocol (SCVP) Status of this memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC 2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract The SCVP protocol allows a client to offload certificate handling to a server. The server can give a variety of valuable information about the certificate, such as whether or not the certificate is valid, a chain to a trusted certificate, and so on. SCVP has many purposes, including simplifying client implementations and allowing companies to centralize their trust and policy managment. 1. Introduction Certificate validation is a difficult problem. If certificate handling is to be widely deployed in a variety of applications and environments, the amount of processing an application needs to perform before it can accept a certificate must be reduced. There are a variety of applications that can use public key certificates but are burdened by the overhead of validating the certificates when all the application really wants is the public key and name from the certificate, and a determination of whether or not the certificate may be used for a particular purpose. There are other applications that can perform certificate path validation but have no reliable method of obtaining a current chain to a trusted certificate. 1.1 SCVP overview and requirements The primary goals of SCVP are to make it easier for applications to deploy systems using a PKI and to allow centralization of administering PKI policies. Parts of SCVP can be used by clients that do much of the PKI processing themselves and simply want a useful but untrusted server that will collect information for them. Other parts can be used by clients that have complete trust in the server to both offload the work of certificate validation and to ensure that policies are enforced in a consistent fashion across an enterprise. Untrusted SCVP servers can give client the certificate chains needed for path validation. They can also give clients revocation information such as CRLs and OCSP responses that the client can use in the client's path validation. These services can be valuable to client systems that do not include the protocols needed to find and download all of the intermediate certificates, CRLs, and OCSP responses needed for the client to perform complete path validation. Trusted SCVP servers can perform full certificate validation for the client. If a client uses these services, it inherently trusts the SCVP server as much as it would its own path validation software (if it contained such software). There are two main reasons that a client may want to trust such an SCVP server: - The client does not want to incur the overhead of including path validation software and running it for each certificate it receives. - The client is in an enterprise that wants to centralize its PKI validation policies, such as which root certificates are trusted and which types of policy checking are performed during path validation. 1.2 Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [MUSTSHOULD]. 1.3 Open Issues The following is a list of issues that were raised on earlier versions of this document that have not been fully dealt with here. Comments on these issues are particularly welcome. - Extensions can be marked as critical. The usefulness and problems of criticality have been long debated and there has not been a great deal of consensus. In SCVP, marking a request extension as critical says to the server "don't give me an answer unless you understand this extension", and marking a response extension as critical says "don't use this response unless you understand this extension". Without the critical bit in the extensions, either the semantics of extensions would have to be changed to essentially say "all extensions are critical" (which is overkill for some extensions that might really be optional), or the semantics would have to be changed to say "you can never rely on the other party understanding an extension", which would limit the usefulness of some extensions. - All responses are signed. There may be cases where the server doesn't want to sign the responses, such as on messages that are only error responses, or where the message is travelling over a medium that is already known to be secure. 2. Protocol The SCVP protocol uses a simple request-response model. That is, a SCVP client creates a single request and sends it to the server; the server creates a single response and sends it to the client. Typical use of SCVP is expected to be over HTTP, and possibly email. This document registers MIME types for SCVP requests and responses. 3. Requests A SCVP client's request to the server MUST be a single FullRequest item. The FullRequest item contains the entire request. A FullRequest item is carried in an application/scvp-request MIME body part. 3.1 FullRequest The FullRequest item encapsulates the client's request. The FullRequest item contains a PSRequest item, and an optional RequestSignature item. 3.2 PSRequest The PSRequest item contains the part of the client's request. The PSRequest item contains a Version item, a Query item, a TypesOfCheck item, and a WantBack item. It can also contain an optional RequestNonce item and an optional ReqExtensions item. (The "PS" in PSRequest means "possibly signed".) A signed request can be used to authenticate the client to the server and for non-repudiation of the client's request, such as for accounting purposes. A server might require all requests to be signed if the server did not want to respond to request unless they were from authenticated clients. A server might want to allow unsigned requests if the server is authenticating in some other fashion (such as by IP address). In this specification, the item(s) in the Query item are certificates. The TypesOfCheck item tells the server what types of checking it should do on the item(s) in the Query item. The WantBack item tells the server what the client wants to know about the item(s). ReqExtensions in the PSRequest item are used to extend the request, such as to request a different type of item. 3.3 Version The Version item tells the version of SCVP used in a request or a response. The value of the Version item for this specification is 1. 3.4 Query The Query item specifies the object of the request. One type of object is defined in this specification: CertsQuery. (Other types of queries might be specified in the future.) The CertsQuery is a request for information on one or more certificates. A CertsQuery contains a list of certificates, and can also contain zero or one of each of the following items: ValidityTime, IntermediateCerts, TrustedCerts, RevocationInfo, PolicyID, ConfigurationIdentifier, and QueryExtensions. The list of certificates in the Query item tells the server the certificate(s) the client wants a reply for. The optional ValidityTime item tells the time at which the client wants to know about. The optional IntermediateCerts, TrustedCerts, RevocationInfo, PolicyID, and ConfigurationIdentifier items tell the server how to process the request. 3.5 CertBundle The CertBundle item contains one or more Certs. The order of the Cert(s) in the bundle is not important. 3.6 Cert The Cert item contains a complete certificate. The Cert item contains an identifier for the type of certificate and the octets of the certificate itself. One type of certificate, for PKIX [PKIX], is defined, but other types of certificates (such as for OpenPGP [OpenPGP]) may be defined in the future. 3.8 QueryExtensions The QueryExtensions item specifies a list of extensions to the SCVP protocol, for example to request additional information about the certificate(s) in the CertsQuery. The QueryExtensions item contains a sequence of Extension items, each of which contain an ExtnID item, a Critical item, and an ExtnValue item. 3.9 ExtnID The ExtnID item is an identifier for the extension. It contains the OID of the extension. 3.10 Critical The Critical item tells whether the extension is critical. The values for the item are: False Not critical True Critical In a request, if the Critical item is true, the server MUST NOT process the request unless it understands the extension. In a reply, if the Critical item is true, the client MUST NOT process the reply unless it understands the extension. 3.11 ExtnValue The ExtnValue item gives the value of an extension. It contains a sequence of octets. 3.12 IntermediateCerts The IntermediateCerts item specifies to the server the intermediate certificates that the server MAY use when forming a certificate chain. The certificates in the IntermediateCerts item can be used by the server in addition to any other certificates that the server knows of when building chains. The IntermediateCerts item contains a list of certificates. The certificates in the IntermediateCerts MUST NOT be self-signed certificates. The purpose of the IntermediateCerts item is to help the server create validation chains. 3.13 TrustedCerts The TrustedCerts item specifies to the server the trusted certificates that the server MUST use. If a TrustedCerts item is included in a CertsQuery item, the server MUST NOT use any certificate chain anchors other than the certificates in the TrustedCerts item when forming a certificate chain for validation. The TrustedCerts item contains a CertBundle item. 3.14 RevocationInfo The RevocationInfo item specifies to the server revocation information such as CRLs and OCSP [OCSP] responses that the server MAY use when validating certificate chains. The purpose of the RevocationInfo item is to provide revocation information to the server that the server may not have access to, such as an OCSP response that the client received along with the certificate. Note that the information in the RevocationInfo item might not be used by the server, such as if the information is for certificates that the server does not use in chain building. The types of revocation proof that can be provided are: - CRL - OCSP response [[[Need to specify the format of the extensions for both CRLs and for OCSP responses.]]] 3.15 PolicyID The PolicyID item specifies to the server the policy ID that the server MUST use when forming a certificate chain. The PolicyID item contains a URL that, when resolved, defines the policy. 3.16 ConfigurationIdentifier The ConfigurationIdentifier item tells the server the SCVP options that the client wants the server to use. The client can use this option instead of specifying other SCVP configuration such as PolicyID, TrustedCerts, RevocationInfo, and so on. The value of this item is determined by private agreement between the client and the server and is not specified in this document. For example, the value might be the hash of some set of options, or it might be a short identifier for a common set of options. Further, the server might want to have identifiers that indicate that some settings are used in addition to others given in the request; in this way, the configuration identifier might be a shorthand for some SCVP options. 3.17 TypesOfCheck The TypesOfCheck item describes the kind of checking that the client wants the server to do on the certificate(s) in the Query item. If the TypesOfCheck item is given in a request, it can contain one or more types of checks. For each type of check specified in the request, the server MUST perform all the checks requested, or return an error. The types of checks are: - Path validation to a trusted root - Revocation status Note that revocation status check inherently includes path validation. 3.18 WantBack The WantBack item describes the kind of information the client wants from the server for the certificate(s) in the Query item. If the WantBack item is given in a request, it can contain one or more types of information. For each type of information specified in the request, the server MUST return information on what it found during the check. The types of information that can be requested are: - Certificate chain used to validate the certificate - Proof of revocation status For example, a request might include a TypesOfCheck item that does not specify path validation, and include a WantBack item that specifies the certificate chain used to validate. The response would not include a status for the validation, but would include a certificate chain that the server thinks might validate. This set of options might be used by a client that wants to do its own path validation. 3.19 ValidityTime The ValidityTime indicates the time for which the client wants the information to be relevant. Not specifying a ValidityTime means that the server should use the current time. For example, when asking for validation of a certificate, the client might ask "was this certificate valid at this time". The information in the CertReply item in the response MUST be formatted as if the server created the response at the time indicated in the ValidityTime, if the server doesn't have historical information about that time, it MAY either return an error or return information for a later time. A client MUST be able to handle responses that have ThisUpdate items that are later than the requested ValidityTime. 3.20 RequestNonce The RequestNonce item is an identifier generated by the client for the request; the server MUST return the same RequestNonce in the signed part of the server's response. The RequestNonce item is simply a sequence of octets. The client SHOULD include a RequestNonce item in every request to prevent an attacker acting as a man-in-the-middle from replaying old responses from the server. The value of the nonce SHOULD change with every request sent from the client. 3.22 RequestSignature The RequestSignature item is the signature of the PSRequest item. The details of how a RequestSignature is computed is defined in the specific sections which describe how a request/response is represented in various formats. 4. Responses A SCVP server's response to the client MUST be a single FullResponse item. The FullResponse item contains the entire response. A FullResponse item is carried in an application/scvp-response MIME body part. 4.1 FullResponse The FullResponse item encapsulates the server's response. The FullResponse item contains a PSResponse item and an optional ResponseSignature item. 4.2 PSResponse The PSResponse item contains the part of the server's response that is signed by the ResponseSignature item. The item contains a Version item, a ProducedAt item, a ResponseStatus item, and a RequestHash item. The item can also contain an optional ReplyObjects item, an optional RequestNonce item, and an optional RespExtensions item. The PSResponse item MUST contain exactly one CertReply item for each certificate requested in the request. The RequestNonce item MUST be included if the request had a RequestNonce item. 4.3 ProducedAt The ProducedAt item tells the time at which the whole response was produced. The ProducedAt item represents the date at UTC. 4.4 ResponseStatus The ResponseStatus item gives status information to the client about its request. The ResponseStatus item has a numeric status code and an optional string that is a sequence of characters from the ISO/IEC 10646-1 character set encoded with the UTF-8 transformation format defined in [UTF8]. The optional string may be used to transmit status information, but it is optional. The client MAY choose to display the string to the client. However, because there is no way to know the languages understood by the user, the string may be of little or no use to them. The complete list of status codes for the ResponseStatus item is: 0 The request was fully processable 1 The request included unrecognized items; continuing 10 Too busy; try again later 20 The structure of the request was wrong 21 The version of request is not supported by this server 22 The request included unrecognized items; aborting 23 The key given in the RequestSignature is not recognized 24 The signature did not match the body of the request 25 The encoding was not understood 26 The request was not authorized 4.4a RequestHash The RequestHash item is the SHA-1 hash of the PSRequest item. The RequestHash item serves the following purposes: - It helps a client know that the request was not maliciously modified when the client gets the response back - It allows the client to associate a response with a request when using connectionless protocols The purpose of the RequestHash is not for authentication of the client. The server MUST return the RequestHash item in the response. 4.5 ReplyObjects The ReplyObjects item returns objects to the client. In this specification, the ReplyObjects item is always a CertReply, which tells the client about a single certificate from the request. The CertReply item contains a Cert item identifying the certificate, a ReplyStatus item, a ThisUpdate item, and a NextUpdate item. There may also be the following optional items: ValidationStatus, RevocationStatus, PublicKey, CertSubject, ValidationChain, RevocationProof, and SingleReplyExtensions. The presence or absence of the ValidationStatus, RevocationStatus, PublicKey, CertSubject, ValidationChain, and RevocationProof items in the CertReply item is controlled by the TypesOfCheck, and WantBack items in the request. A server MUST include one of the above items for each related item requested in the TypesOfCheck, and WantBack items. 4.6 ReplyStatus The ReplyStatus item gives status information to the client about the request for the specific certificate. Note that the ResponseStatus item is different than the ReplyStatus item. The ResponseStatus item is the status of the whole request, while the ReplyStatus item is the status for the individual certificate. The complete list of status codes for the ReplyStatus item is: 0 Success: a definitive answer follows 1 Failure: the certificate type is not recognized 2 Failure: an item wanted in TypesOfCheck is not recognized 3 Failure: an item wanted in WantBack is not recognized 4 Failure: the certificate was malformed 5 Failure: the mandatory PolicyID is not recognized 6 Failure: the ConfigurationIdentifier is not recognized 7 Failure: unauthorized request Status code 4 is used to tell the client that the request was properly formed but the certificate in question was not. This is useful to clients that cannot parse a certificate. 4.7 ThisUpdate The ThisUpdate item tells the time at which the information in the CertReply was correct. The ThisUpdate item represents the date as UTC. 4.8 NextUpdate The NextUpdate item tells the time until which the server expects the information in the CertReply to be valid. The NextUpdate item represents the date at UTC. [[[Is there a desire for another item that says "the server takes liability for this response up to this particular time?]]] 4.9 ReplyTypesOfCheck The ReplyTypesOfCheck contains the responses to the client's TypesOfCheck item in the request. It has the same form as the Extensions item, and the OIDs in the ReplyTypesOfCheck item MUST match the OIDS in the TypesOfCheck item. The value for path validation to a trusted root, {type-arc 0}, can be one of the following: 0 Valid 1 Not valid 2 Unknown The value for the revocation status, {type-arc 1}, can be one of the following: 0 Good 1 Revoked 2 Unknown 4.10 ReplyWantBack The ReplyWantBack contains the responses to the client's WantBack item in the request. It has the same form as the Extensions item, and the OIDs in the ReplyWantBack item MUST match the OIDS in the WantBack item. The value for the certificate chain used to validate the certificate in the request, {want-arc 1}, is a CertBundle item. The value for the proof of revocation status, {want-arc 2}, is a RevocationProof item. 4.11 RevocationProof The RevocationProof item gives the client the proof that the server used to check revocation. The structure of the RevocationProof item is the same as an Extensions item. The OIDs in the RevocationProof item are the same as those in the RevocationInfo item. 4.12 ResponseSignature The ResponseSignature item is the signature of the PSResponse item. The client SHOULD check the signature on every signed message it receives from the server. In order to check the signature, the client MUST know and rely on the public signing key of the server. The client could have obtained the server's public key through an out-of-band mechanism of direct trust or through a certificate that chains to a root that the client trusts to delegate this type of authority. 5. ASN.1 Syntax for SCVP This section defines the syntax for SCVP messages. The semantics for the messages are defined in sections 2, 3, and 4. 5.1 Signatures in ASN.1 Signatures in ASN.1 are done over the DER encoding of the PSRequest/PSResponse item. The Name is the distinguished name of the signer. The SignatureAlgorithm is the algorithm used to sign the request, and a SignatureBits item that is the signature itself. The signature may also contain an optional CertBundle that represents a chain of certs to verify the key used to sign the request. 5.1.1 SignatureAlgorithm The SignatureAlgorithm identifies the algorithm used to sign a request or response. The SigningAlgorithm item contains the OID of the algorithm and any necessary parameters for the algorithm. 5.1.2 SignatureBits The SignatureBits item holds the octets of a signature. The structure of the SignatureBits item is determined by the value of the SignatureAlgorithm item. 5.2 ASN.1 Module definition SCVP DEFINITIONS EXPLICIT TAGS ::= BEGIN IMPORTS -- Directory Authentication Framework (X.509) Certificate, AlgorithmIdentifier FROM AuthenticationFramework { joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 3 } -- PKIX Imports Name, Extensions, FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-88(1)}; FullRequest ::= SEQUENCE { psRequest PSRequest, requestSignature [0] Signature OPTIONAL } PSRequest ::= SEQUENCE { version INTEGER, query Query, typesOfCheck TypesOfCheck, wantBack WantBack, requestNonce [1] OCTET STRING OPTIONAL, reqExtensions [2] Extensions OPTIONAL } Query ::= CHOICE { certsQuery [0] CertsQuery } CertsQuery ::= SEQUENCE { queriedCerts SEQUENCE SIZE (1..MAX) OF Cert, validityTime [0] GeneralizedTime OPTIONAL, intermediateCerts [1] SEQUENCE SIZE (1..MAX) OF Cert OPTIONAL, trustedCerts [2] CertBundle OPTIONAL, revocationInfo [3] Extensions OPTIONAL, policyID [4] UTF8String OPTIONAL, configurationIdentifier [5] OBJECT IDENTIFIER OPTIONAL, queryExtensions [6] Extensions OPTIONAL } CertBundle ::= SEQUENCE SIZE (1..MAX) OF Cert Cert ::= CHOICE { pkixCert [0] Certificate } TypesOfCheck ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER WantBack ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER Signature ::= SEQUENCE { signerName Name, signatureAlgorithm AlgorithmIdentifier, signatureBits BIT STRING, certs [0] CertBundle OPTIONAL } FullResponse ::= SEQUENCE { psResponse PSResponse, responseSignature [0] Signature OPTIONAL } PSResponse ::= SEQUENCE { version INTEGER, producedAt GeneralizedTime, responseStatus ResponseStatus, requestHash OCTET STRING, replyObjects [0] ReplyObjects OPTIONAL, requestNonce [2] OCTET STRING OPTIONAL, respExtensions [3] Extensions OPTIONAL } ResponseStatus ::= SEQUENCE { statusCode INTEGER, errorMessage [0] UTF8String OPTIONAL } ReplyObjects ::= CHOICE { certReplies [0] SEQUENCE SIZE (1..MAX) OF CertReply } CertReply ::= SEQUENCE { cert Cert, replyStatus ReplyStatus, thisUpdate GeneralizedTime, nextUpdate GeneralizedTime, replyTypesOfCheck [0] Extensions OPTIONAL, replyWantBack [1] Extensions OPTIONAL, singleReplyExtensions [2] Extensions OPTIONAL } ReplyStatus ::= ENUMERATED { success (0), certTypeUnrecognized (1), typeOfCheckUnrecognized (2), wantBackUnrecognized (3), certMalformed (4), policyIDUnrecognized (5), configInfoUnrecognized (6), unauthorizedRequest (7) } -- Need to include type-arc, want-arc, and revinfo-arc END 6. XML Syntax for SCVP This section defines the syntax for SCVP messages. The semantics for the messages are defined in sections 2, 3, and 4. TODO: We need to import the XML DSig data into our DTD. We also need to provide more information about the format of the elements which map to PCDATA. Note: this is the second attempt at XML for SCVP. We invite any comments on it. 6.1 Signatures in XML Signatures are done using [XMLDSIG]. 6.2 Namespaces The XML namespace [XML-ns] URI that MUST be used by implementations of this (dated) specification is: xmlns="http://www.ietf.org/pkixwg/01/scvp" 6.3 XML Request/Response syntax 6.3 Example of XML syntax 1 MIICEzCCAb0CAgfYMA0GCSqGSIb3D QEBBAUAMIGTMQswCQYDVQQGEwJLTz . . . oeedsN6iA4IhpA4Ev2rWiM92OoKag UvVGaQoBuDkz7JfYNw== 19991232235959 MIICEzCCAb0CAgfYMA0GCSqGSIb3D QEBBAUAMIGTMQswCQYDVQQGEwJLTz . . . oeedsN6iA4IhpA4Ev2rWiM92OoKag UvVGaQoBuDkz7JfYNw== 1.3.5.5.5.2.5.2 1.3.5.5.5.2.5.2 2888475218934 1.5.4.5.9.12.1 192812 a23bcd43 dd2323dd C=US, ST=Illinois, L=Chicago, O=Aromatic Penguin Playing Basketball, OU=Certificate Authority, CN=www.ceramic.com 2007 MIICITCCAcsCAgfXMA0GCSqGSIb3DQEBBAUAMIGaMQswCQYDVQQG EwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNh . . . bD2d2MixUSENihcgGbCEikUpNrMREO/eYkyKsiqmzAxlr3Tu/eKB NBeu TODO: Need to add an example of a response 7. Security Considerations A client that trusts a server's responses for validation of certificates inherently trusts that server as much as it would trust its own validation software. This means that if an attacker compromises a trusted SCVP server, the attacker can change the validation processing for every client that relies on that server. Thus, an SCVP server must be protected at least as well as the weakest root server that the SCVP server trusts. If the client does not check the signature on the response, a man-in-the-middle attack could fool the client into believing modified responses from the server, or responses to questions the client did not ask. This attack does not affect the usefulness of some responses (such as a response that returns a certificate path that the client will validate itself) but does affect things such as a validation response. If the client does not include a RequestNonce item, or if the client does not check that the RequestNonce in the reply matches that in the request, an attacker can replay previous responses from the server. This attack can also be mounted, even with signed requests, if the server does not keep track of previous RequestNonce items. If the server does not require some sort of authorization (such as signed requests), an attacker can get the server to reply to arbitrary requests. Such responses may give the attacker information about weaknesses in the server or about the timeliness of the server's checking. This information may be valuable for a future attack. A. References [MUSTSHOULD] "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119. [OCSP] "PKIX Online Certificate Status Protocol (OCSP)", RFC 2560. [OpenPGP] "OpenPGP Message Format", RFC 2440. [PKIX] "PKIX Certificate and CRL Profile", RFC 2459. [SHA-1] "Secure Hash Standard", NIST FIPS publication 180-1, April 1995. [UTF8] "UTF-8, a transformation format of ISO 10646", RFC 2279. [XMLDSIG] NEED THE REFERENCE B. Acknowledgments The lively debate in the PKIX Working Group also had a significant impact on the types of items described in this protocol. Denis Pinkas suggested some additional requirements for the protocol, and Mike Myers helped point out sections that needed clarification. C. Changes Between Versions of This Document C.1 Differences between -00 and -01 1: Rewrote to both narrow focus and to explain the goals more fully. 1.1: Removed second paragraph. 2: Removed the discussion of the two syntaxes. 3: Reorganized the section to put the Extensions items after the CertsQuery items. The section numbers below are from the -00 draft. Throughout the section, made RequestHash mandatory instead of optional. Added RevocationInfo item. Changed CertID to CertHash throughout. Fixed the names of the parts of the signature to match the text. 3.1: Split the item into a TBSRequest followed by the hash and/or signature. Changed the order of the extensions item so that all the optional items were together. Changed CertsQuery into Query. Added the ValidityTime item. 3.3: Redefined Extension to be Extensions to be more similar to Extensions in PKIX. Other wording changes. 3.5: Gave more explanation for the ExtensionCritical bit, and made the values boolean. Note that this item may disappear, depending on discussion of the open issue on it. 3.7: Changed CertsQuery into Query and described the one defined instance as CertsQuery. Moved the TypesOfCheck and WantBack from the Query and up one level to the TBSRequest. 3.9: Removed OpenPGP cert, but allowed for it to be added back in the future. 3.10: Removed OpenPGP cert hash, but allowed for it to be added back in the future. 3.11 Made TypesOfCheck OIDs. 3.12: Made WantBack OIDs. Removed the public key and the names. 3.10: Added sentence about when a client might include a CertHash item in the TrustedRoots. 3.13: Clarified use of IntermediateCerts 3.18: Added wording that the RequestHash should not be used for authentication. 3.19: Changed wording to make it clear that RequestSignature was needed only for authentication of the client. 3.23: Clarified purpose of KeyID. 4: The section numbers below are from the -00 draft. Throughout the section, made returning the RequestHash mandatory because it is now mandatory in the request. 4.1: Split the item into a TBSResponse followed by the hash and/or signature. Made ResponseSignature mandatory. Made the items returned in the form of Extensions to match the fact that TypesOfCheck and WantBack are now sequences of OIDs. 4.3: Made the status code a single number. 4.4 Removed the subject names and public keys. Added NextUpdate. 4.10: Clarified that CertSubject for PKIX certs must contain both the subject name and the subjectAltName. 4.13: Made ResponseSignature mandatory; this might be changed back to optional for some types of responses in a future revision of the spec. Added a discussion of how the client can get the server's signing key. Old 5: Removed tiny syntax, renumbered old 6 to 5. 5: Added note about semantics in 2-4. Split FullRequest into FullRequest and TBSRequest. Moved the extensions item in FullRequest. Changed the certsQuery to Query. Move TypesOfCheck and WantBack up to TBSRequest. Made TypesOfCheck and WantBack SEQUENCE of OIDs. Added ValidityTime. Changed "CertID" to "CertHash". Made the status code a single number. Added reminder in CertItem about full certs. Changed order of Signature items. Split FullResponse into FullResponse and TBSResponse. Added ReplyTypesOfChecks and ReplyWantBack items. Added Extensions item and sub-items. 7: Updated to reflect mandatory RequestHash and ResponseSignature. Added explicit words about compromise of the SCVP server. Removed the first paragraph because it was confusing and will be fixed in later versions of the draft. A: Added reference to OCSP. D: Updated. C.2 Difference between -01 and -02 Abstract: Updated to include design goals. Throughout: Changed TBSRequest to PSRequest. Changed UsageID to PolicyID. Changed Greenwich Mean Time to UTC. 1.2: Changed wording to match RFC 2119. 1.3: Removed first open issue (cert hashes) because we removed cert hashes. Removed third open issue (optional response signing) because the draft now clarifies which responses must be signed and which ones don't. Added new open issue (making signatures on responses optional). 3.1: Removed the RequestHash from the request. 3.2: Removed the RequestHash from the request. Added explanation of PSRequest name. Added SignerName here. 3.4: Added note about other types of queries being added in the future. 3.5: Removed CertHash. 3.7: Removed the CertHash item. Filled in the hole that would have been created with SignerName from below. 3.10: Minor edit to last line. 3.12: Removed most of the second paragraph because it was confusing. 3.14: Removed the arc stuff. 3.15: Made the PolicyID be a URL instead of an OID. 3.17: Removed the arc stuff. Also added last sentence after the list. 3.18: Removed the arc stuff. 3.19: Removed the surperfluous NextUpdate from the last sentence. Detailed what no ValidityTime request means. Changed what should happen if the client requests information for a time that the server does not have. 3.21: Changed last sentence to indicate that the RequestHash is only returned in the response, not sent in the request. 3.22: Removed the last sentence because the RequestHash is only returned in the response, not sent in the request. Moved the second paragraph up to 3.2 to make it clearer why someone might or might not sign their request. Got rid of the optional KeyID. Removed the SignerName. 3.23: Moved SignerName up in the document to 3.7. Renumbered the rest of this section. 3.26: Got rid of KeyID item. 4.2: Added SignerName here. 4.4: Got rid of 11 and 12 and made the description of 10 more sensible. Changed 25 to "encoding not understood". 4.5: Removed the last sentence because it was confusing. 4.9: Got rid of "temporarily unknown". 4.12: Made the response signature optional in the first sentence of the second paragraph. Got rid of KeyID. Removed the SignerName. 5: Removed RequestHash from FullRequest. Removed CertItem and made CertBundle a SEQUENCE OF Cert. Changed type of policyID to UTF8string to hold the URL. Got rid of KeyID. Moved signerName out of Signature and into PSRequest and TBSResponse, and made it optional. 6: Added the XML syntax and example. 7: Removed the second paragraph because it dealt with RequestHash in the request. C.3 Difference between -02 and -03 1. Changed TBSResponse and TBSRequest to PSResponse and PSRequest. Made signatures optional in both requests and responses. 2. Added a tag to the optional signatures in both requests and responses. 3. Changed RevocationInfos to RevocationInfo. 4. Removed CertHash completely. 5. Simplified section 3.5, since FullCert has gone away 6. Replaced section 3.6 to talk about Cert, rather than FullCert 7. Replaced ExtensionParameter with ExtensionValue in Section 3.11. 8. Made sure that all SEQUENCE OF are SEQUENCE SIZE (1..MAX) OF 9. Import Extension and used the same definition for Extension as in RFC2459 10. Replace "trusted root" with "trusted certificate", because a server or client might decide to put its trust in a certificate that might not be self-signed. Replaced trustedRoot with trustedCert. 11. Fixed once occurance of definition of requestNonce 12. Removed scvp, scvpReq and scvpResp tags in the XML. 13. Removed the last 2 sentences of the second paragraph Section 3.4 14. Changed last sentence of section 3.13, since you have have multiple cert chains for a certificate even if there is no cross certification. 15. Changed last sentence of section 3.17. 16. Moved section 3.21 to the response section - 4.4a. We need to renumber all sections when we are close to being done. 17. Added a default value for the attribute value of ReplyStatus in the XML. 18. Added IMPORTS to the ASN.1 module. 19. Gave the extensions in different places different names. 20. Changed the way criticality is specified for Extension in XML 21. Added the mime type registration requests 22. Added appendix E and moved Author Information to appendix F 23. Moved signerName from the PSRequest and PSResponse to the signature part. 24. Removed the second paragraph in section 3.13. 25. Changed a line in section 3.14, first para (about where a client may have obtained an OCSP response to send to the SCVP server). 26. Got rid of the multiple places where we say what is signed by the RequestSignature or ResponseSignature (e.g. section 3.1 and 3.2). Also simplified the definition of the RequestSignature and ResponseSignature in sections 3 and 4. The should be defined in detail in the encoding sections. D. MIME Registrations D.1 application/scvp-request To: ietf-types@iana.org Subject: Registration of MIME media type application/scvp-request MIME media type name: application MIME subtype name: scvp-request Required parameters: None Optional parameters: None Encoding considerations: binary or XML Security considerations: Carries a request for information. This request may optionally be cryptographically signed. Interoperability considerations: None Published specification: IETF PKIX Working Group Draft on Simple Certificate Validation Protocol - SCVP Applications which use this media type: SCVP clients Additional information: Magic number(s): None File extension(s): .SCQ Macintosh File Type Code(s): none Person & email address to contact for further information: Ambarish Malpani Intended usage: COMMON Author/Change controller: Ambarish Malpani D.2 application/scvp-response To: ietf-types@iana.org Subject: Registration of MIME media type application/scvp-response MIME media type name: application MIME subtype name: scvp-response Required parameters: None Optional parameters: None Encoding considerations: binary or XML Security considerations: Carries a cryptographically signed response Interoperability considerations: None Published specification: IETF PKIX Working Group Draft on Simple Certificate Validation Protocol - SCVP Applications which use this media type: SCVP servers Additional information: Magic number(s): None File extension(s): .SCS Macintosh File Type Code(s): none Person & email address to contact for further information: Ambarish Malpani Intended usage: COMMON Author/Change controller: Ambarish Malpani E. SCVP data format E.1 SCVP over HTTP This section describes the formatting that will be done to the request and response to support HTTP. E.1.1 Request HTTP based SCVP requests can the POST method to submit their requests. Where privacy is a requirement, SCVP transactions exchanged using HTTP MAY be protected using either TLS/SSL or some other lower layer protocol. An SCVP request using the POST method is constructed as follows: The Content-Type header MUST have the value "application/scvp-request" while the Content-Length header MUST be present and have the exact length of the request. The body of the message is the binary value of the DER encoding of the FullRequest, or XML encoding of FullRequest. Other HTTP headers MAY be present and MAY be ignored if not understood by the requestor. E.1.2 Response An HTTP-based SCVP response is composed of the appropriate HTTP headers, followed by the binary value of the DER encoding of the FullResponse or XML encoding of FullResponse. The Content-Type header MUST have the value "application/scvp-response". The Content-Length header MUST be present and specify the length of the response. Other HTTP headers MAY be present and MAY be ignored if not understood by the requestor. F. Author Contact Information Ambarish Malpani ValiCert, Inc. 339 N. Bernardo Ave. Mountain View, CA 94043 ambarish@valicert.com Paul Hoffman VPN Consortium 127 Segre Place Santa Cruz, CA 95060 USA paul.hoffman@vpnc.org