Tech-invite3GPPspecsGlossariesIETFRFCsGroupsSIPABNFsWorld Map

RFC 8295

 
 
 

EST (Enrollment over Secure Transport) Extensions

Part 4 of 4, p. 40 to 54
Prev Section

 


prevText      Top      ToC       Page 40 
9.  PAL and Certificate Enrollment

   The /fullcmc PC is defined in [RFC7030]; the CMC (Certificate
   Management over Cryptographic Message Syntax) requirements and
   packages are defined in [RFC5272], [RFC5273], [RFC5274], and
   [RFC6402].  This section describes PAL interactions.

   Under normal circumstances, the client-server interactions for PKI
   enrollment are as follows:

           Client                       Server
                 --------------------->
             POST req: PKIRequest
             Content-Type: application/pkcs10
            or
             POST req: PKIRequest
             Content-Type: application/pkcs7-mime
                           smime-type=CMC-request

                  <--------------------
                         POST res: PKIResponse
                         Content-Type: application/pkcs7-mime
                                       smime-type=certs-only
                        or
                         POST res: PKIResponse
                         Content-Type: application/pkcs7-mime
                                       smime-type=CMC-response

   If the response is rejected during the same session:

           Client                       Server
                  --------------------->
              POST req: PKIRequest
              Content-Type: application/pkcs10
             or
              POST req: PKIRequest
              Content-Type: application/pkcs7-mime
                            smime-type=CMC-request

                  <--------------------
                         POST res: empty
                         HTTPS Status Code
                        or
                         POST res: PKIResponse
                         Content-Type: application/pkcs7-mime
                                       smime-type=CMC-response

Top      Up      ToC       Page 41 
   If the request is to be filled later:

           Client                       Server
                  --------------------->
              POST req: PKIRequest
              Content-Type: application/pkcs10
             or
              POST req: PKIRequest
              Content-Type: application/pkcs7-mime
                            smime-type=CMC-request

                  <--------------------
                         POST res: empty
                         HTTPS Status Code
                         + Retry-After
                        or
                         POST res: PKIResponse (pending)
                         Content-Type: application/pkcs7-mime
                                       smime-type=CMC-response

                  --------------------->
              POST req: PKIRequest (same request)
              Content-Type: application/pkcs10
             or
              POST req: PKIRequest (CMC Status Info only)
              Content-Type: application/pkcs7-mime
                            smime-type=CMC-request

                  <--------------------
                         POST res: PKIResponse
                         Content-Type: application/pkcs7-mime
                                       smime-type=certs-only
                        or
                         POST res: PKIResponse
                         Content-Type: application/pkcs7-mime
                                       smime-type=CMC-response

Top      Up      ToC       Page 42 
   With the PAL, the client begins after pulling the PAL and a Start
   Issuance PAL package type, essentially adding the following before
   the request:

           Client                       Server
                 --------------------->
             GET req: PAL
                  <--------------------
                         GET res: PAL
                         Content-Type: application/xml

   The client then proceeds as above with a simple PKI enrollment or a
   full CMC enrollment, or it begins enrollment assisted by a CSR:

           Client                       Server
                 --------------------->
             GET req: DS certificate with CSR

                  <--------------------
                         GET res: PAL
                         Content-Type: application/csrattrs

   For immediately rejected requests, CMC works well.  If the server
   prematurely closes the connection, then the procedures in
   Section 6.3.1 of [RFC7230] apply.  But this might leave the client
   and server in a different state.  The client could merely resubmit
   the request, but another option, documented herein, is for the client
   to instead download the PAL to see if the server has processed the
   request.  Clients might also use this process when they are unable to
   remain connected to the server for the entire enrollment process; if
   the server does not or is not able to return a PKIData indicating a
   status of pending, then the client will not know whether the request
   was received.  If a client uses the PAL and reconnects to determine
   if the certification or rekey or renew request was processed:

   o  Clients MUST authenticate the server, and clients MUST check the
      server's authorization.

   o  The server MUST authenticate the client, and the server MUST check
      the client's authorization.

   o  Clients retrieve the PAL, using the /pal URI.

   o  Clients and servers use the operation path of "/simpleenroll",
      "simplereenroll", or "/fullcmc", based on the PAL entry, with an
      HTTP GET [RFC7231] to get the success or failure response.

   Responses are as specified in [RFC7030].

Top      Up      ToC       Page 43 
10.  Security Considerations

   This document relies on many other specifications; however, all of
   the security considerations in [RFC7030] apply.  Refer also to the
   following:

   o  For HTTP, HTTPS, and TLS security considerations, see [RFC7231],
      [RFC2818], and [RFC5246].

   o  For URI security considerations, see [RFC3986].

   o  For content type security considerations, see [RFC4073],
      [RFC4108], [RFC5272], [RFC5652], [RFC5751], [RFC5934], [RFC5958],
      [RFC6031], [RFC6032], [RFC6268], [RFC6402], [RFC7191], and
      [RFC7292].

   o  For algorithms used to protect packages, see [RFC3370], [RFC5649],
      [RFC5753], [RFC5754], [RFC5959], [RFC6033], [RFC6160], [RFC6161],
      [RFC6162], and [RFC7192].

   o  For random numbers, see [RFC4086].

   o  For server-generated asymmetric key pairs, see [RFC7030].

Top      Up      ToC       Page 44 
11.  IANA Considerations

   IANA has created the "PAL Package Types" registry and performed three
   registrations: PAL Name Space, PAL XML Schema, and PAL Package Types.

11.1.  PAL Name Space

   This section registers a new XML namespace [XMLNS],
   "urn:ietf:params:xml:ns:pal", per the guidelines in [RFC3688]:

      URI: urn:ietf:params:xml:ns:pal
      Registrant Contact: Sean Turner (sean@sn3rd.com)
      XML:
         BEGIN
            <?xml version="1.0"?>
            <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
               "https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
            <html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en">
            <head>
               <title>Package Availability List</title>
            </head>
            <body>
               <h1>Namespace for Package Availability List</h1>
               <h2>urn:ietf:params:xml:ns:pal</h2>
               <p>See RFC 8295</p>
            </body>
            </html>
         END

11.2.  PAL XML Schema

   This section registers an XML schema as per the guidelines in
   [RFC3688].

      URI: urn:ietf:params:xml:schema:pal
      Registrant Contact: Sean Turner (sean@sn3rd.com)
      XML: See Section 2.1.2.

11.3.  PAL Package Types

   IANA has created a new registry named "PAL Package Types".  This
   registry is for PAL package types whose initial values are found in
   Section 2.1.1.  Future registrations of PAL package types are subject
   to Expert Review, as defined in RFC 8126 [RFC8126].  Package types
   MUST be paired with a media type; package types specify the path
   components to be used that in turn specify the media type used.

Top      Up      ToC       Page 45 
12.  References

12.1.  Normative References

   [RFC2046]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
              Extensions (MIME) Part Two: Media Types", RFC 2046,
              DOI 10.17487/RFC2046, November 1996,
              <https://www.rfc-editor.org/info/rfc2046>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC2585]  Housley, R. and P. Hoffman, "Internet X.509 Public Key
              Infrastructure Operational Protocols: FTP and HTTP",
              RFC 2585, DOI 10.17487/RFC2585, May 1999,
              <https://www.rfc-editor.org/info/rfc2585>.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818,
              DOI 10.17487/RFC2818, May 2000,
              <https://www.rfc-editor.org/info/rfc2818>.

   [RFC2985]  Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object
              Classes and Attribute Types Version 2.0", RFC 2985,
              DOI 10.17487/RFC2985, November 2000,
              <https://www.rfc-editor.org/info/rfc2985>.

   [RFC3370]  Housley, R., "Cryptographic Message Syntax (CMS)
              Algorithms", RFC 3370, DOI 10.17487/RFC3370, August 2002,
              <https://www.rfc-editor.org/info/rfc3370>.

   [RFC3394]  Schaad, J. and R. Housley, "Advanced Encryption Standard
              (AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394,
              September 2002, <https://www.rfc-editor.org/info/rfc3394>.

   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
              DOI 10.17487/RFC3688, January 2004,
              <https://www.rfc-editor.org/info/rfc3688>.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <https://www.rfc-editor.org/info/rfc3986>.

Top      Up      ToC       Page 46 
   [RFC4073]  Housley, R., "Protecting Multiple Contents with the
              Cryptographic Message Syntax (CMS)", RFC 4073,
              DOI 10.17487/RFC4073, May 2005,
              <https://www.rfc-editor.org/info/rfc4073>.

   [RFC4108]  Housley, R., "Using Cryptographic Message Syntax (CMS) to
              Protect Firmware Packages", RFC 4108,
              DOI 10.17487/RFC4108, August 2005,
              <https://www.rfc-editor.org/info/rfc4108>.

   [RFC4514]  Zeilenga, K., Ed., "Lightweight Directory Access Protocol
              (LDAP): String Representation of Distinguished Names",
              RFC 4514, DOI 10.17487/RFC4514, June 2006,
              <https://www.rfc-editor.org/info/rfc4514>.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246,
              DOI 10.17487/RFC5246, August 2008,
              <https://www.rfc-editor.org/info/rfc5246>.

   [RFC5272]  Schaad, J. and M. Myers, "Certificate Management over CMS
              (CMC)", RFC 5272, DOI 10.17487/RFC5272, June 2008,
              <https://www.rfc-editor.org/info/rfc5272>.

   [RFC5273]  Schaad, J. and M. Myers, "Certificate Management over CMS
              (CMC): Transport Protocols", RFC 5273,
              DOI 10.17487/RFC5273, June 2008,
              <https://www.rfc-editor.org/info/rfc5273>.

   [RFC5274]  Schaad, J. and M. Myers, "Certificate Management Messages
              over CMS (CMC): Compliance Requirements", RFC 5274,
              DOI 10.17487/RFC5274, June 2008,
              <https://www.rfc-editor.org/info/rfc5274>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/info/rfc5280>.

   [RFC5649]  Housley, R. and M. Dworkin, "Advanced Encryption Standard
              (AES) Key Wrap with Padding Algorithm", RFC 5649,
              DOI 10.17487/RFC5649, September 2009,
              <https://www.rfc-editor.org/info/rfc5649>.

   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
              RFC 5652, DOI 10.17487/RFC5652, September 2009,
              <https://www.rfc-editor.org/info/rfc5652>.

Top      Up      ToC       Page 47 
   [RFC5751]  Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
              Mail Extensions (S/MIME) Version 3.2 Message
              Specification", RFC 5751, DOI 10.17487/RFC5751,
              January 2010, <https://www.rfc-editor.org/info/rfc5751>.

   [RFC5753]  Turner, S. and D. Brown, "Use of Elliptic Curve
              Cryptography (ECC) Algorithms in Cryptographic Message
              Syntax (CMS)", RFC 5753, DOI 10.17487/RFC5753,
              January 2010, <https://www.rfc-editor.org/info/rfc5753>.

   [RFC5754]  Turner, S., "Using SHA2 Algorithms with Cryptographic
              Message Syntax", RFC 5754, DOI 10.17487/RFC5754,
              January 2010, <https://www.rfc-editor.org/info/rfc5754>.

   [RFC5934]  Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor
              Management Protocol (TAMP)", RFC 5934,
              DOI 10.17487/RFC5934, August 2010,
              <https://www.rfc-editor.org/info/rfc5934>.

   [RFC5958]  Turner, S., "Asymmetric Key Packages", RFC 5958,
              DOI 10.17487/RFC5958, August 2010,
              <https://www.rfc-editor.org/info/rfc5958>.

   [RFC5959]  Turner, S., "Algorithms for Asymmetric Key Package Content
              Type", RFC 5959, DOI 10.17487/RFC5959, August 2010,
              <https://www.rfc-editor.org/info/rfc5959>.

   [RFC5967]  Turner, S., "The application/pkcs10 Media Type", RFC 5967,
              DOI 10.17487/RFC5967, August 2010,
              <https://www.rfc-editor.org/info/rfc5967>.

   [RFC6010]  Housley, R., Ashmore, S., and C. Wallace, "Cryptographic
              Message Syntax (CMS) Content Constraints Extension",
              RFC 6010, DOI 10.17487/RFC6010, September 2010,
              <https://www.rfc-editor.org/info/rfc6010>.

   [RFC6031]  Turner, S. and R. Housley, "Cryptographic Message Syntax
              (CMS) Symmetric Key Package Content Type", RFC 6031,
              DOI 10.17487/RFC6031, December 2010,
              <https://www.rfc-editor.org/info/rfc6031>.

   [RFC6032]  Turner, S. and R. Housley, "Cryptographic Message Syntax
              (CMS) Encrypted Key Package Content Type", RFC 6032,
              DOI 10.17487/RFC6032, December 2010,
              <https://www.rfc-editor.org/info/rfc6032>.

Top      Up      ToC       Page 48 
   [RFC6033]  Turner, S., "Algorithms for Cryptographic Message Syntax
              (CMS) Encrypted Key Package Content Type", RFC 6033,
              DOI 10.17487/RFC6033, December 2010,
              <https://www.rfc-editor.org/info/rfc6033>.

   [RFC6160]  Turner, S., "Algorithms for Cryptographic Message Syntax
              (CMS) Protection of Symmetric Key Package Content Types",
              RFC 6160, DOI 10.17487/RFC6160, April 2011,
              <https://www.rfc-editor.org/info/rfc6160>.

   [RFC6161]  Turner, S., "Elliptic Curve Algorithms for Cryptographic
              Message Syntax (CMS) Encrypted Key Package Content Type",
              RFC 6161, DOI 10.17487/RFC6161, April 2011,
              <https://www.rfc-editor.org/info/rfc6161>.

   [RFC6162]  Turner, S., "Elliptic Curve Algorithms for Cryptographic
              Message Syntax (CMS) Asymmetric Key Package Content Type",
              RFC 6162, DOI 10.17487/RFC6162, April 2011,
              <https://www.rfc-editor.org/info/rfc6162>.

   [RFC6268]  Schaad, J. and S. Turner, "Additional New ASN.1 Modules
              for the Cryptographic Message Syntax (CMS) and the Public
              Key Infrastructure Using X.509 (PKIX)", RFC 6268,
              DOI 10.17487/RFC6268, July 2011,
              <https://www.rfc-editor.org/info/rfc6268>.

   [RFC6402]  Schaad, J., "Certificate Management over CMS (CMC)
              Updates", RFC 6402, DOI 10.17487/RFC6402, November 2011,
              <https://www.rfc-editor.org/info/rfc6402>.

   [RFC7030]  Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed.,
              "Enrollment over Secure Transport", RFC 7030,
              DOI 10.17487/RFC7030, October 2013,
              <https://www.rfc-editor.org/info/rfc7030>.

   [RFC7303]  Thompson, H. and C. Lilley, "XML Media Types", RFC 7303,
              DOI 10.17487/RFC7303, July 2014,
              <https://www.rfc-editor.org/info/rfc7303>.

   [RFC7191]  Housley, R., "Cryptographic Message Syntax (CMS) Key
              Package Receipt and Error Content Types", RFC 7191,
              DOI 10.17487/RFC7191, April 2014,
              <https://www.rfc-editor.org/info/rfc7191>.

   [RFC7192]  Turner, S., "Algorithms for Cryptographic Message Syntax
              (CMS) Key Package Receipt and Error Content Types",
              RFC 7192, DOI 10.17487/RFC7192, April 2014,
              <https://www.rfc-editor.org/info/rfc7192>.

Top      Up      ToC       Page 49 
   [RFC7193]  Turner, S., Housley, R., and J. Schaad, "The
              application/cms Media Type", RFC 7193,
              DOI 10.17487/RFC7193, April 2014,
              <https://www.rfc-editor.org/info/rfc7193>.

   [RFC7230]  Fielding, R., Ed., and J. Reschke, Ed., "Hypertext
              Transfer Protocol (HTTP/1.1): Message Syntax and Routing",
              RFC 7230, DOI 10.17487/RFC7230, June 2014,
              <https://www.rfc-editor.org/info/rfc7230>.

   [RFC7231]  Fielding, R., Ed., and J. Reschke, Ed., "Hypertext
              Transfer Protocol (HTTP/1.1): Semantics and Content",
              RFC 7231, DOI 10.17487/RFC7231, June 2014,
              <https://www.rfc-editor.org/info/rfc7231>.

   [RFC7292]  Moriarty, K., Ed., Nystrom, M., Parkinson, S., Rusch, A.,
              and M. Scott, "PKCS #12: Personal Information Exchange
              Syntax v1.1", RFC 7292, DOI 10.17487/RFC7292, July 2014,
              <https://www.rfc-editor.org/info/rfc7292>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in
              RFC 2119 Key Words", BCP 14, RFC 8174,
              DOI 10.17487/RFC8174, May 2017,
              <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8259]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", STD 90, RFC 8259,
              DOI 10.17487/RFC8259, December 2017,
              <https://www.rfc-editor.org/info/rfc8259>.

   [XML]      Bray, T., Paoli, J., Sperberg-McQueen, M., Maler, E., and
              F. Yergeau, "Extensible Markup Language (XML) 1.0
              (Fifth Edition)", World Wide Web Consortium
              Recommendation REC-xml-20081126, November 2008,
              <https://www.w3.org/TR/2008/REC-xml-20081126/>.

   [XMLSCHEMA]
              Malhotra, A. and P. Biron, "XML Schema Part 2: Datatypes
              Second Edition", World Wide Web Consortium
              Recommendation REC-xmlschema-2-20041028, October 2004,
              <https://www.w3.org/TR/2004/REC-xmlschema-2-20041028>.

Top      Up      ToC       Page 50 
   [X.690]    ITU-T, "Information technology - ASN.1 encoding rules:
              Specification of Basic Encoding Rules (BER), Canonical
              Encoding Rules (CER) and Distinguished Encoding Rules
              (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1,
              August 2015, <https://www.itu.int/rec/T-REC-X.690/en>.

12.2.  Informative References

   [PKCS12]   IANA, "PKCS #12", <https://www.iana.org/assignments/
              media-types/application/pkcs12>.

   [RFC4086]  Eastlake 3rd, D., Schiller, J., and S. Crocker,
              "Randomness Requirements for Security", BCP 106, RFC 4086,
              DOI 10.17487/RFC4086, June 2005,
              <https://www.rfc-editor.org/info/rfc4086>.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
              FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
              <https://www.rfc-editor.org/info/rfc4949>.

   [XMLNS]    Bray, T., Hollander, D., Layman, A., Tobin, R., and H.
              Thompson, "Namespaces in XML 1.0 (Third Edition)",
              World Wide Web Consortium Recommendation
              REC-xml-names-20091208/, December 2009,
              <https://www.w3.org/TR/2009/REC-xml-names-20091208/>.

Top      Up      ToC       Page 51 
Appendix A.  Example Use of PAL

   This is an informative appendix.  It includes examples of protocol
   flows.

   Steps for using a PAL include the following:

   1. Access PAL

   2. Process PAL entries
      2.1. Get CA certificates
      2.2. Get CRLs
      2.3. Get CSR attributes
      2.4. Enroll: simple enrollment, re-enrollment, or full CMC
      2.5. Get Firmware, TAMP, Symmetric Keys, or EE certificates

   Client                      Server
         --------------------->                     -+
   GET req:                                          | /pal
         <---------------------                      |
                       GET res: PAL                  |
                       Content-Type: application/xml |
                                                     |
         --------------------->                     -+
   GET req:                                          | /cacerts
         <---------------------                      |
               GET res: CA Certificates              |
               Content-Type: application/pkcs7-smime |
                             smime-type=certs-only   |
                                                     |
         --------------------->                     -+
   GET req:                                          | /crls
         <---------------------                      |
               GET res: CRLs                         |
               Content-Type: application/pkcs7-smime |
                             smime-type=crls-only    |
                                                     |
         --------------------->                     -+
   GET req:                                          | /csrattrs
         <---------------------                      |
                           GET res: attributes       |

Top      Up      ToC       Page 52 
         --------------------->                     -+
   POST req: PKIRequest                              | /simpleenroll and
   Content-Type: application/pkcs10                  | /simplereenroll
                                                     |
   Content-Type: application/pkcs7-mime              | /fullcmc
                 smime-type=CMC-request              |
                                                     |
         <--------------------                       |
              (success or failure)                   |
              POST res: PKIResponse                  | /simpleenroll
              Content-Type: application/pkcs7-mime   | /simplereenroll
                            smime-type=certs-only    | /fullcmc
                                                     |
              Content-Type: application/pkcs7-mime   | /fullcmc
                            smime-type=CMC-response  |
                                                     |
         -------------------->                      -+
   GET req:                                          | /firmware
         <--------------------                       | /tamp
               GET res: Firmware, TAMP Query         | /symmetrickeys
                        + Updates, Symmetric Keys    |
                Content-Type: application/cms        |
                                                     |
         --------------------->                     -+
   POST res: Firmware Receipts or Errors,            | /firmware/return
   TAMP Response or Confirms or Errors,              | /tamp/return
   Symmetric Key Receipts or Errors                  | /symmetrickeys/
                                                     |      return
                                                     |
   Content-Type: application/cms                     |
         <--------------------                       |
               POST res: empty                       |
                (success or failure)                 |
         -------------------->                      -+
   GET req:                                          | /eecerts
         <--------------------                       |
               GET res: Other EE certificates        |
                Content-Type: application/pkcs7-mime |
                              smime-type=certs-only  |

   The figure above shows /eecerts after /*/return, but this is for
   illustrative purposes only.

Top      Up      ToC       Page 53 
Appendix B.  Additional CSR Attributes

   This is an informative appendix.

   In some cases, the client is severely limited in its ability to
   encode and decode ASN.1 objects.  If the client knows that a "csr"
   template is being provided during enrollment, then it can peel the
   returned CSR attribute, generate its keys, place the public key in
   the certification request, and then sign the request.  To accomplish
   this, the server returns a pKCS7PDU attribute [RFC2985] in the
   /csrattrs (the following is "pseudo ASN.1" and is only meant to show
   the fields needed to accomplish returning a template certification
   request):

     pKCS7PDU ATTRIBUTE ::= {
       WITH SYNTAX ContentInfo
       ID pkcs-9-at-pkcs7PDU
       }

     pkcs-9-at-pkcs7PDU OBJECT IDENTIFIER ::= {
       iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
       pkcs-9-at(25) 5
       }

   The ContentInfo is a PKIData:

     PKIData ::= SEQUENCE {
       reqSequence        SEQUENCE SIZE(0..MAX) OF TaggedRequest
       }

   Where TaggedRequest is a choice between the PKCS #10 or Certificate
   Request Message Format (CRMF) requests.

     TaggedRequest ::= CHOICE {
       tcr               [0] TaggedCertificationRequest,
       crm               [1] CertReqMsg
       }

   Or, the ContentInfo can be a signed-data content type that further
   encapsulates a PKIData.

Top      Up      ToC       Page 54 
Acknowledgements

   Thanks in no particular order go to Alexey Melnikov, Paul Hoffman,
   Brad McInnis, Max Pritikin, Francois Rousseau, Chris Bonatti, and
   Russ Housley for taking time to provide comments.

Author's Address

   Sean Turner
   sn3rd

   Email: sean@sn3rd.com