The SODP (Secure Object Delivery Protocol) Server Interfaces: NSA's Profile for Delivery of Certificates, CRLs, and Symmetric Keys to Clients

The information below is for an old version of the document
Document Type Expired Internet-Draft (individual)
Authors Michael Jenkins  , Sean Turner 
Last updated 2020-02-17 (latest revision 2019-08-16)
Stream ISE
Intended RFC status Informational
Expired & archived
pdf htmlized (tools) htmlized bibtex
IETF conflict review conflict-review-turner-sodp-profile
Additional Resources
Stream ISE state In ISE Review
Waiting for Dependency on Other Document
Consensus Boilerplate Unknown
Document shepherd Adrian Farrel
Shepherd write-up Show (last changed 2019-08-01)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to Adrian Farrel <>
IANA IANA review state Version Changed - Review Needed

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document specifies protocol interfaces profiled by the US NSA (United States National Security Agency) for NSS (National Security System) servers that provide public key certificates, CRLs (Certificate Revocation Lists), and symmetric keys to NSS clients. Servers that support these interfaces are referred to as SODP (Secure Object Delivery Protocol) servers. The intended audience for this profile comprises developers of client devices that will obtain key management services from NSA-operated SODP servers. Interfaces supported by SODP servers include: EST (Enrollment over Secure Transport) and its extensions as well as CMC (Certificate Management over CMS (Cryptographic Message Syntax)). This profile applies to the capabilities, configuration, and operation of all components of US National Security Systems (SP 800- 59). It is also appropriate for other US Government systems that process high-value information. It is made publicly available for use by developers and operators of these and any other system deployments.


Michael Jenkins (
Sean Turner (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)