]> Siemens

Germany hannes.tschofenig@gmx.net

Siemens

Werner-von-Siemens-Strasse 1 Munich 80333 Germany hendrik.brockhaus@siemens.com https://www.siemens.com

sec LAMPS Working Group Remote Attestation Certificate Signing Request Certificate Management Protocol (CMP) Enrollment over Secure Transport (EST) When an end entity includes attestation Evidence in a Certificate Signing Request (CSR), it may be necessary to demonstrate the freshness of the provided Evidence. Current attestation technology commonly achieves this using nonces. This document outlines the process through which nonces are supplied to the end entity by an RA/CA for inclusion in Evidence, leveraging the Certificate Management Protocol (CMP) and Enrollment over Secure Transport (EST)

Introduction The management of certificates, encompassing issuance, CA certificate provisioning, renewal, and revocation, has been streamlined through standardized protocols. The Certificate Management Protocol (CMP) defines messages for X.509v3 certificate creation and management. CMP facilitates interactions between end entities and PKI management entities, such as Registration Authorities (RAs) and Certification Authorities (CAs). For Certificate Signing Requests (CSRs), CMP primarily utilizes the Certificate Request Message Format (CRMF) but also supports PKCS#10 . Enrollment over Secure Transport (EST) (, ) is another certificate management protocol that provides a subset of CMP's features, primarily using PKCS#10 for CSRs. When an end entity requests a certificate from a Certification Authority (CA), it may need to assert credible claims about the protections of the corresponding private key, such as the use of a hardware security module or the protective capabilities provided by the hardware, as well as claims about the platform itself. To include these claims as Evidence in remote attestation, the remote attestation extension has been defined. It specifies how Evidence produced by an Attester is encoded for inclusion in CRMF or PKCS#10, along with any necessary certificates for its validation. For a Verifier or Relying Party to ensure the freshness of the Evidence, knowing the exact time of its production is crucial. Current attestation technologies, like and , often employ nonces to ensure the freshness of Evidence. Further details on ensuring Evidence freshness can be found in . provides examples where a CSR contains one or more Evidence statements. For each Evidence statement the end entity may wish to request a separate nonce. Since an end entity requires one or more nonces from one or more Verifier via the RA/CA, an additional roundtrip is necessary. However, a CSR is a one-shot message. Therefore, CMP and EST enable the end entity to request information from the RA/CA before submitting a certification request conveniently. Once a nonce is obtained, the end entity invokes the API on an Attester, providing the nonce as an input parameter. The Attester then returns an Evidence, which is embedded into a CSR and potentially together with further Evidence statements, submitted back to the RA/CA in a certification request message. illustrates this interaction: The nonce is requested in step (0) and obtained in step (1) using the extension to CMP/EST defined in this document. The CSR extension conveys Evidence to the RA/CA in step (2). The Verifier processes the received Evidence and returns the Attestation Result to the Relying Party. The CA uses the Attestation Result with the Appraisal Policy and other information to create the requested certificate. The certificate is returned to the End Entity in step (3).

| | | | | | | | | Request Nonce (0) | | |---------------------->| | | | Request Nonce | | |-------------------->| | | Nonce | | |<--------------------| | Nonce (1) | | |<----------------------| | | | | | Attested CSR (2) | | |---------------------->| | | | Evidence | | |-------------------->| | | Attestation Result | | |<--------------------| | Certificate (3) | | |<----------------------| | | | | | | | ]]>

The functionality described in this document is divided into two sections: describes how to convey the nonce using CMP. describes the equivalent functionality for EST.

Terminology and Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 . The terms Attester, Relying Party, Verifier and Evidence are defined in . The terms end entity, certification authority (CA), and registration authority (RA) are defined in . We use the terms Certificate Signing Request (CSR) and certification request interchangeably.

Conveying a Nonce in CMP Section 5.3.19 of defines the general request message (genm) and general response (genp). The NonceRequest payload of the genm message, sent by the end entity to request a nonce, optionally includes details on the required length of the nonce from the Attester. The NonceResponse payload of the genp message, sent by the CA/RA in response to the request, contains the nonce itself.

id-it-nonceRequest OBJECT IDENTIFIER ::= { id-it TBD1 } NonceRequestValue ::= SEQUENCE SIZE (1..MAX) OF NonceRequest NonceRequest ::= SEQUENCE { len INTEGER OPTIONAL, -- indicates the required length of the requested nonce type OBJECT IDENTIFIER OPTIONAL, -- indicates which Evidence type to request a nonce for hint EvidenceHint OPTIONAL -- indicates which Verifier to request a nonce from } id-it-nonceResponse OBJECT IDENTIFIER ::= { id-it TBD2 } NonceResponseValue ::= SEQUENCE SIZE (1..MAX) OF NonceResponse NonceResponse ::= SEQUENCE { nonce OCTET STRING, -- contains the nonce of length len -- provided by the Verifier indicated with hint expiry Time OPTIONAL, -- indicates how long the Verifier considers the -- nonce valid type OBJECT IDENTIFIER OPTIONAL, -- indicates which Evidence type to request a nonce for hint EvidenceHint OPTIONAL -- indicates which Verifier to request a nonce from } ]]>

The end entity may request one or more nonces for different Verifier. The EVIDENCE-STATEMENT type and the EvidenceHint are defined in . They allow the Attester to specify to the Relying Party which Verifier should be contacted to obtain a nonce. If a NonceRequest structure does not contain type or hint, the RA/CA should respond with a nonce it MAY generated by itself. The use of the general request/response message exchange introduces an additional roundtrip for transmitting nonce(s) from the CA/RA to the end entity (and subsequently to the Attester within the end entity). The end entity MUST construct a id-it-nonceRequest message to prompt the RA/CA to send a nonce(s) in response. The message may contain one ore more NonceRequest structures, at a maximum one per Evidence statement the end entity wishes to provide in a CSR. If a NonceRequest structure does neither contain a type nor a hint, the RA/CA may generate a nonce itself and provide it in the respective NonceResponse structure. NonceRequest, NonceResponse, and EvidenceStatement structures can contain a type field and a hint field. In terms of type and hint content, the order in which the NonceRequest structures were sent in the request message MUST match the order of the NonceResponse structures in the response message and the EvicenceStatements in the CSR later. This is important so that the RA/CA can send the Evidence statement to the Verifier who generated the nonce used by the Attester who generated it. If the end entity supports remote attestation and the policy dictates the inclusion of Evidence in a CSR, the RA/CA responds with a NonceResponse message containing the requested nonce. The interaction is illustrated in .

>-- NonceRequest -->>-- Verify request Generate nonce* Create response --<<-- NonceResponse --<<-- (nonce, expiry) Generate key pair Generate Evidence* Generate certification request message -->>-- certification request -->>-- +Evidence including nonce) Verify request Verify Evidence* Check for replay* Issue certificate Create response --<<-- certification response --<<-- Handle response Store certificate *: These steps require interactions with the Attester (on the EE side) and with the Verifier (on the RA/CA side). ]]>

If HTTP is used to transfer the NonceRequest and NonceResponse messages, the OPTIONAL <operation> path segment defined in Section 3.6 of MAY be used.

If CoAP is used for transferring NonceRequest and NonceResponse messages, the OPTIONAL <operation> path segment defined in Section 2.1 of MAY be used.

Conveying a Nonce in EST The EST client requests a nonce for its Attester from the EST server. This function typically follows the request for CA certificates and precedes other EST operations. The EST server MUST support the path-prefix of "/.well-known/" as defined in and the registered name of "est". Therefore, a valid EST server URI path begins with "https://www.example.com/.well-known/est". Each EST operation is indicated by a path-suffix that specifies the intended operation. The following operation is defined by this specification:

The operation path is appended to the path-prefix to form the URI used with HTTP GET or POST to perform the desired EST operation. An example of a valid URI absolute path for the "/nonce" operation is "/.well-known/est/nonce".

Request Methods An EST client uses either a GET or a POST method, depending on whether additional parameters need to be conveyed: A GET request MUST be used when the EST client does not want to convey extra parameters. A POST request MUST be used when parameters, such as nonce length or a hint about the verification service, are included in the request.

Example Requests To retrieve a nonce using a GET request:

To retrieve a nonce while specifying the size and providing a hint about the verification service using a POST request:

The payload in a POST request MUST be of content-type "application/json" and MUST contain a JSON object with the member "len" indicating the length of the requested nonce value in bytes, and optionally the "hint" member, which specifies an FQDN based on the definition in the EvidenceHint structure from ).

Server Response If successful, the EST server MUST respond with an HTTP 200 status code and a content-type of "application/json", containing a JSON object with the "nonce" member. The "expiry" member is optional and indicates the validity period of the nonce. The EST server MAY request HTTP-based client authentication, as explained in Section 3.2.3 of . If the request is successful, the EST server response MUST contain a HTTP 200 response code with a content-type of "application/json" and a JSON object with the member nonce. The expiry member is optional and indicates the time the nonce is considered valid. After the expiry time is expired, the session is likely garbage collected. Below is an example response:

Open Issue: Should a specific content type be registered for use with EST over CoAP, where the nonce and expiry fields are encoded in a CBOR structure?

Nonce Processing Guidelines When the RA/CA is requested to provide a nonce to an end entity, it interacts with the Verifier. According to the IETF RATS architecture , the Verifier is responsible for validating Evidence about an Attester and generating Attestation Results for use by a Relying Party. The Verifier also acts as the source of the nonce to prevent replay attacks. The nonce value MUST contain a random byte sequence whereby the length depends on the used remote attestation technology as specific nonce length may be required by the end entity. This specification assumes that the RA/CA possesses knowledge, either out-of-band or through the len field in the NonceRequest, regarding the required nonce length for the attestation technology. Nonces of incorrect length will cause the remote attestation protocol to fail. For instance, the PSA attestation token supports nonce lengths of 32, 48, and 64 bytes. Other attestation technologies employ nonces of similar lengths. When the end entity requests a nonce, the RA/CA SHOULD respond with a nonce in the specified length. If a specific length was requested, the RA/CA must provide a nonce of that size. The end entity MUST use the received nonce if the remote attestation supports the requested length. If necessary, the end entity MAY adjust the length of the nonce by truncating or padding it accordingly. While this specification does not address the semantics of the attestation API or the underlying software/hardware architecture, the API returns Evidence from the Attester in a format specific to the attestation technology used. The returned Evidence is encapsulated within the CSR, as defined in . The software generating the CSR treats the Evidence as an opaque blob and does not interpret its format. It's crucial to note that the nonce is included in the Evidence, either implicitly or explicitly, and MUST NOT be conveyed in CSR structures outside of the Evidence payload. The processing of CSRs containing Evidence is detailed in . mportantly, certificates issued based on this process do not contain the nonce, as specified in .

IANA Considerations This document adds new entries to the "CMP Well-Known URI Path Segments" registry defined in .

[Open Issue: Register path segments for EST]

Security Considerations This specification details the process of obtaining a nonce via CMP and EST, assuming that the nonce does not require confidentiality protection while maintaining the security properties of the remote attestation protocol. defines the IETF remote attestation architecture and extensively discusses nonce-based freshness. Section 8.4 of specifies requirements for the randomness and privacy of nonce generation when used with the Entity Attestation Token (EAT). These requirements, which are also adopted by attestation technologies like the PSA attestation token , provide general utility: The nonce MUST have at least 64 bits of entropy. To prevent disclosure of privacy-sensitive information, it should be derived using a salt from a genuinely random number generator or another reliable source of randomness. Each attestation technology specification offers guidance on replay protection using nonces and other techniques. Specific recommendations are deferred to these individual specifications in this document. Regarding the use of Evidence in a CSR, the security considerations outlined in are pertinent to this specification.

In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Entrust Limited Siemens Fraunhofer SIT Beyond Identity Intel Corporation A PKI end entity requesting a certificate from a Certification Authority (CA) may wish to offer trustworthy claims about the platform generating the certification request and the environment associated with the corresponding private key, such as whether the private key resides on a hardware security module. This specification defines an attribute and an extension that allow for conveyance of Evidence in Certificate Signing Requests (CSRs) such as PKCS#10 or Certificate Request Message Format (CRMF) payloads which provides an elegant and automatable mechanism for transporting Evidence to a Certification Authority. Including Evidence along with a CSR can help to improve the assessment of the security posture for the private key, and can help the Certification Authority to assess whether it satisfies the requested certificate profile. These Evidence Claims can include information about the hardware component's manufacturer, the version of installed or running firmware, the version of software installed or running in layers above the firmware, or the presence of hardware components providing specific protection capabilities or shielded locations (e.g., to protect keys). Siemens Siemens Entrust Entrust This document describes the Internet X.509 Public Key Infrastructure (PKI) Certificate Management Protocol (CMP). Protocol messages are defined for X.509v3 certificate creation and management. CMP provides interactions between client systems and PKI components such as a Registration Authority (RA) and a Certification Authority (CA). This document obsoletes RFC 4210 by including the updates specified by CMP Updates RFC 9480 Section 2 and Appendix A.2 maintaining backward compatibility with CMP version 2 wherever possible and obsoletes both documents. Updates to CMP version 2 are: improving crypto agility, extending the polling mechanism, adding new general message types, and adding extended key usages to identify special CMP server authorizations. Introducing CMP version 3 to be used only for changes to the ASN.1 syntax, which are: support of EnvelopedData instead of EncryptedValue, hashAlg for indicating a hash AlgorithmIdentifier in certConf messages, and RootCaKeyUpdateContent in ckuann messages. In addition to the changes specified in CMP Updates RFC 9480 this document adds support for management of KEM certificates. The EST (Enrollment over Secure Transport) protocol defines the Well-Known URI (Uniform Resource Identifier) -- /.well-known/est -- along with a number of other path components that clients use for PKI (Public Key Infrastructure) services, namely certificate enrollment (e.g., /simpleenroll). This document defines a number of other PKI services as additional path components -- specifically, firmware and trust anchors as well as symmetric, asymmetric, and encrypted keys. This document also specifies the PAL (Package Availability List), which is an XML (Extensible Markup Language) file or JSON (JavaScript Object Notation) object that clients use to retrieve packages available and authorized for them. This document extends the EST server path components to provide these additional services. This document profiles certificate enrollment for clients using Certificate Management over CMS (CMC) messages over a secure transport. This profile, called Enrollment over Secure Transport (EST), describes a simple, yet functional, certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire client certificates and associated Certification Authority (CA) certificates. It also supports client-generated public/private key pairs as well as key pairs generated by the CA. This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes. [STANDARDS-TRACK] This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes. In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry. JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. This document specifies the use of the Constrained Application Protocol (CoAP) as a transfer mechanism for the Certificate Management Protocol (CMP). CMP defines the interaction between various PKI entities for the purpose of certificate creation and management. CoAP is an HTTP-like client-server protocol used by various constrained devices in the Internet of Things space. This memo represents a republication of PKCS #10 v1.7 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document, except for the security considerations section, is taken directly from the PKCS #9 v2.0 or the PKCS #10 v1.7 document. This memo provides information for the Internet community. This document describes the Certificate Request Message Format (CRMF) syntax and semantics. This syntax is used to convey a request for a certificate to a Certification Authority (CA), possibly via a Registration Authority (RA), for the purposes of X.509 certificate production. The request will typically include a public key and the associated registration information. This document does not define a certificate request protocol. [STANDARDS-TRACK] In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols. Arm Limited Arm Limited HP Labs Linaro The Arm Platform Security Architecture (PSA) is a family of hardware and firmware security specifications, as well as open-source reference implementations, to help device makers and chip manufacturers build best-practice security into products. Devices that are PSA compliant can produce attestation tokens as described in this memo, which are the basis for many different protocols, including secure provisioning and network access control. This document specifies the PSA attestation token structure and semantics. The PSA attestation token is a profile of the Entity Attestation Token (EAT). This specification describes what claims are used in an attestation token generated by PSA compliant systems, how these claims get serialized to the wire, and how they are cryptographically protected. This informational document is published as an independent submission to improve interoperability with Arm's architecture. It is not a standard nor a product of the IETF. Security Theory LLC Mediatek USA Qualcomm Technologies Inc. Red Hound Software, Inc. An Entity Attestation Token (EAT) provides an attested claims set that describes state and characteristics of an entity, a device like a smartphone, IoT device, network equipment or such. This claims set is used by a relying party, server or service to determine the type and degree of trust placed in the entity. An EAT is either a CBOR Web Token (CWT) or JSON Web Token (JWT) with attestation-oriented claims. Trusted Computing Group

Acknowledgments We would like to thank Russ Housley, Thomas Fossati, Watson Ladd, Ionut Mihalcea, Carl Wallace, and Michael StJohns for their review comments.