Clarification of Enrollment over Secure Transport (EST): Transfer Encodings and ASN.1
RFC 8951

Document Type RFC - Proposed Standard (November 2020; No errata)
Updates RFC 7030
Authors Michael Richardson  , Thomas Werner  , Wei Pan 
Last updated 2020-11-19
Replaces draft-richardson-lamps-rfc7030est-clarify
Stream Internet Engineering Task Force (IETF)
Formats plain text html xml pdf htmlized (tools) htmlized bibtex
Stream WG state Submitted to IESG for Publication
Document shepherd Russ Housley
Shepherd write-up Show (last changed 2020-05-14)
IESG IESG state RFC 8951 (Proposed Standard)
Action Holders
Consensus Boilerplate Yes
Telechat date
Responsible AD Roman Danyliw
Send notices to Russ Housley <>
IANA IANA review state IANA OK - Actions Needed
IANA action state RFC-Ed-Ack
IANA expert review state Expert Reviews OK

Internet Engineering Task Force (IETF)                     M. Richardson
Request for Comments: 8951                      Sandelman Software Works
Updates: 7030                                                  T. Werner
Category: Standards Track                                        Siemens
ISSN: 2070-1721                                                   W. Pan
                                                     Huawei Technologies
                                                           November 2020

   Clarification of Enrollment over Secure Transport (EST): Transfer
                          Encodings and ASN.1


   This document updates RFC 7030: Enrollment over Secure Transport to
   resolve some errata that were reported and that have proven to cause
   interoperability issues when RFC 7030 was extended.

   This document deprecates the specification of "Content-Transfer-
   Encoding" headers for Enrollment over Secure Transport (EST)
   endpoints.  This document fixes some syntactical errors in ASN.1 that
   were present.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction
   2.  Terminology
   3.  Changes to EST Endpoint Processing
     3.1.  White Space Processing
     3.2.  Changes to Section 4 of RFC 7030
       3.2.1.  Section 4.1.3
       3.2.2.  Section 4.3.1
       3.2.3.  Section 4.3.2
       3.2.4.  Section 4.4.2
       3.2.5.  Section 4.5.2
   4.  Clarification of ASN.1 for Certificate Attribute Set
   5.  Clarification of Error Messages for Certificate Enrollment
     5.1.  Updating Section 4.2.3: Simple Enroll and Re-enroll
     5.2.  Updating Section 4.4.2: Server-Side Key Generation Response
   6.  Privacy Considerations
   7.  Security Considerations
   8.  IANA Considerations
   9.  References
     9.1.  Normative References
     9.2.  Informative References
   Appendix A.  ASN.1 Module
   Authors' Addresses

1.  Introduction

   Enrollment over Secure Transport (EST) is defined in [RFC7030].  The
   EST specification defines a number of HTTP endpoints for certificate
   enrollment and management.  The details of the transaction were
   defined in terms of MIME headers, as defined in [RFC2045], rather
   than in terms of the HTTP protocol, as defined in [RFC7230] and

   [RFC2616] and later Appendix A.5 of [RFC7231] have text specifically
   deprecating Content-Transfer-Encoding.  However, [RFC7030]
   incorrectly uses this header.

   Any updates to [RFC7030] to bring it in line with HTTP processing
   risk changing the on-wire protocol in a way that is not backwards
   compatible.  However, reports from implementers suggest that many
   implementations do not send the Content-Transfer-Encoding, and many
   of them ignore it.  The consequence is that simply deprecating the
   header would remain compatible with current implementations.

   [BRSKI] extends [RFC7030], adding new functionality.  Interop testing
   of the protocol has revealed that unusual processing called out in
   [RFC7030] causes confusion.

   EST is currently specified as part of [IEC62351] and is widely used
   in government, utilities, and financial markets today.

   This document, therefore, revises [RFC7030] to reflect the field
   reality, deprecating the extraneous field.

   This document deals with errata numbers [errata4384], [errata5107],
   [errata5108], and [errata5904].

   This document deals with [errata5107] and [errata5904] in Section 3.
   [errata5108] is dealt with in Section 5.  [errata4384] is closed by
   correcting the ASN.1 Module in Section 4.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
Show full document text