PKI Message
Click on the red underlined text to get to the source
...
In terms of the PKI messages which are produced we can regard the
initiation of the initial registration / certification ...
... registration / certification exchanges as
occurring wherever the first PKI message relating to the end entity
is produced. Note that the real-world initiation of the registration ...
... transaction) via some out-of-band means. The initial authentication
key can then be used to protect relevant PKI messages.
...
... according to whether or not the on-line end entity -> PKI messages
are authenticated or not.
...
... Overall PKI Message ...
... }
The PKIHeader contains information which is common to many PKI
messages.
The PKIBody contains message-specific information.
...
...
The PKIProtection, when used, contains bits that protect the PKI
message.
The extraCerts field can contain certificates ...
... PKI Message Header ...
... transaction identification. Some of this information will also be
present in a transport-specific envelope; however, if the PKI message
is protected then this information is also protected (i.e., we make
no assumption about secure transport ...
... PKI Message Body ...
... PKI Message Protection ...
... key value and the DH public key of the recipient of the PKI message.
PKIProtection will contain a MAC value keyed with this derived
...
... sender possesses a signature key pair it may simply sign
the PKI message. PKIProtection will contain the signature value and
the protectionAlg will be an AlgorithmIdentifier for a digital
signature ...
... CA). This is accomplished
by nesting the entire message sent by the end entity within a new PKI
message. The structure used is as follows.
NestedMessageContent ::= PKIMessage
...
... either private keys or certificates) are sent in PKI messages the
EncryptedValue data structure is used.
...
... Status codes and Failure Information for PKI messages ...
... encrypted with the protocolEncKey).
See Section 3.3.4 for CertRepMessage syntax. Note that if the PKI
Message Protection is "shared secret information" (see Section
3.1.3), then any certificate ...
... Note that not all PKI management functions result in the creation of
a PKI message.
...
... which will be successful. However, for simplicity we do not mandate
that the end entity acquires this information via the PKI messages.
The end result is simply that some certification requests may fail
...
... RAs and
CAs to pass PKI messages between them. There is no requirement for
specific security mechanisms ...
... requirement for
specific security mechanisms to be applied at this level if the PKI
messages are suitably protected (that is, if the OPTIONAL
PKIProtection parameter is used as specified for each message).
...
... DER encoding of
one PKI message, i.e., there MUST be no extraneous header or trailer
information in the file.
...
... TCP-based protocol is to be used for transport
of PKI messages. This protocol is suitable for cases where an end
entity (or an RA ...
... end
entity must either supply a listener process or be supplied with a
polling reference (see below) in order to allow it to pick up the PKI
message from the PKI management component.
...
... initiator binds to this port and submits the
initial PKI message for a given transaction ID. The responder replies
...
... transaction ID. The responder replies
with a PKI message and/or with a reference number to be used later
when polling for the actual PKI message response.
...
... with a PKI message and/or with a reference number to be used later
when polling for the actual PKI message response.
...
... initiator of a transaction sends a "direct TCP-based PKI message"
to the recipient. The recipient responds with a similar message.
...
...
A "direct TCP-based PKI message" consists of:
...
... time-to-check-back (32 bits)
-- poll response where no PKI message response ready; use polling
-- reference value (and estimated time value) for later polling
pollReq '02'H polling reference (32 bits ...
... pollReq '02'H polling reference (32 bits)
-- request for a PKI message response to initial message
negPollRep '03'H '00'H
-- no further polling responses (i.e., transaction ...
... 32 bits),
DER-encoded PKI message
-- partial response to initial message plus new polling reference
-- (and estimated time value) to use to get next part of response
...
... -- (and estimated time value) to use to get next part of response
finalMsgRep '05'H DER-encoded PKI message
-- final (and possibly sole) response to initial message
errorMsgRep '06'H human readable error message ...
... subfield of the first CertReqMsg contained in a request message).
9. All PKI message exchanges in Sections B7-B10 require a PKIConfirm
message to be sent by the initiating entity. This message is not
...
... algorithm which this CA expects to be used in later
-- PKI messages (for encryption)
CAKeyUpdateInfo optionally present, with
...
... PKI. There is no requirement for specific security
mechanisms to be applied at this level if the PKI messages themselves
are protected as defined in the PKIX specifications.
...
... protocols (as defined by the IETF PKIX Working Group) to send PKI
messages via E-Mail or HTTP.
...