This document describes the conventions for using several cryptographic algorithms with the Certificate Management Protocol (CMP). CMP is used to enroll and further manage the lifecycle of X.509 certificates. This document also updates the algorithm use profile from Appendix D.2 of RFC 4210.

This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9481.

Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

Appendix D.2 of RFC 4210 contains a set of algorithms that is mandatory to be supported by implementations conforming to [RFC 4210]. These algorithms were appropriate at the time CMP was released, but as cryptographic algorithms weaken over time, some of them should no longer be used. In general, new attacks are emerging due to research in cryptanalysis or an increase in computing power. New algorithms were introduced that are more resistant to today's attacks. This document lists current cryptographic algorithms that can be used with CMP to offer an easier way to maintain the list of suitable algorithms over time.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC 2119] [RFC 8174] when, and only when, they appear in all capitals, as shown here. In the following sections, ASN.1 values and types are used to indicate where algorithm identifier and output values are provided. These ASN.1 values and types are defined in [RFC 4210], [RFC 4211], [RFC 9480], and [RFC 5652].

This section provides references to object identifiers and conventions to be employed by CMP implementations that support SHA2 or SHAKE message digest algorithms. Digest algorithm identifiers are located in the:

• hashAlg field of OOBCertHash and CertStatus,
• owf field of Challenge, PBMParameter, and DHBMParameter,
• digestAlgorithms field of SignedData, and
• digestAlgorithm field of SignerInfo.

Digest values are located in the:

• hashVal field of OOBCertHash,
• certHash field of CertStatus, and
• witness field of Challenge.

In addition, digest values are input to signature algorithms.

The SHA2 algorithm family is defined in [NIST.FIPS.180-4]. The message digest algorithms SHA-224, SHA-256, SHA-384, and SHA-512 are identified by the following OIDs: Specific conventions to be considered are specified in Section 2 of RFC 5754.

The SHA-3 family of hash functions is defined in [NIST.FIPS.202] and consists of the fixed output length variants SHA3-224, SHA3-256, SHA3-384, and SHA3-512, as well as the extendable-output functions (XOFs) SHAKE128 and SHAKE256. Currently, SHAKE128 and SHAKE256 are the only members of the SHA3-family that are specified for use in X.509 certificates [RFC 8692] and CMS [RFC 8702] as one-way hash functions for use with RSASSA-PSS and ECDSA. SHAKE is an extendable-output function, and [NIST.FIPS.202] prohibits using SHAKE as a general-purpose hash function. When SHAKE is used in CMP as a message digest algorithm, the output length MUST be 256 bits for SHAKE128 and 512 bits for SHAKE256. The message digest algorithms SHAKE128 and SHAKE256 are identified by the following OIDs: Specific conventions to be considered are specified in Section 3.1 of RFC 8702.

This section provides references to object identifiers and conventions to be employed by CMP implementations that support signature algorithms like RSA, ECDSA, or EdDSA. The signature algorithm is referred to as MSG_SIG_ALG in Appendices D and E of [RFC 4210], in the [RFC 9483], and in Section 7.2. Signature algorithm identifiers are located in the:

• protectionAlg field of PKIHeader,
• algorithmIdentifier field of POPOSigningKey, and
• signatureAlgorithm field of CertificationRequest, SignKeyPairTypes, and SignerInfo

Signature values are located in the:

• protection field of PKIMessage,
• signature field of POPOSigningKey, and
• signature field of CertificationRequest and SignerInfo.

The RSA (RSASSA-PSS and PKCS #1 version 1.5) signature algorithm is defined in [RFC 8017]. The algorithm identifier for RSASAA-PSS signatures used with SHA2 message digest algorithms is identified by the following OID: Specific conventions to be considered are specified in [RFC 4056]. The signature algorithm RSASSA-PSS used with SHAKE message digest algorithms is identified by the following OIDs: Specific conventions to be considered are specified in Section 3.2.1 of RFC 8702. The signature algorithm PKCS #1 version 1.5 used with SHA2 message digest algorithms is identified by the following OIDs: Specific conventions to be considered are specified in Section 3.2 of RFC 5754.

The ECDSA signature algorithm is defined in [NIST.FIPS.186-5]. The signature algorithm ECDSA used with SHA2 message digest algorithms is identified by the following OIDs: As specified in [RFC 5480], the NIST-recommended curves are identified by the following OIDs: Specific conventions to be considered are specified in Section 3.3 of RFC 5754. The signature algorithm ECDSA used with SHAKE message digest algorithms is identified by the following OIDs: Specific conventions to be considered are specified in Section 3.2.2 of RFC 8702.

The EdDSA signature algorithm is defined in Section 3.3 of RFC 8032 and [NIST.FIPS.186-5]. The signature algorithm Ed25519 that MUST be used with SHA-512 message digest algorithms is identified by the following OIDs: The signature algorithm Ed448 that MUST be used with SHAKE256 message digest algorithms is identified by the following OIDs: Specific conventions to be considered are specified in [RFC 8419]. Note: The hash algorithm used to calculate the certHash in certConf messages MUST be SHA512 if the certificate to be confirmed has been signed using Ed25519 or SHAKE256 with d=512 if the certificate to be confirmed has been signed using Ed448.

CMP utilizes the following general key management techniques: key agreement, key transport, and passwords. [RFC 4211] and [RFC 9480] promote the use of [RFC 5652] by deprecating the use of EncryptedValue.

The key agreement algorithm is referred to as PROT_ENC_ALG in Appendices D and E of [RFC 4210] and as KM_KA_ALG in the [RFC 9483] and Section 7. Key agreement algorithms are only used in CMP when using [RFC 5652] together with the key agreement key management technique. When a key agreement algorithm is used, a key-encryption algorithm (Section 4.3) is needed next to the content-encryption algorithm (Section 5). Key agreement algorithm identifiers are located in the:

• keyEncryptionAlgorithm field of KeyAgreeRecipientInfo.

Key wrap algorithm identifiers are located in the:

• KeyWrapAlgorithm parameters within keyEncryptionAlgorithm field of KeyAgreeRecipientInfo.

Wrapped content-encryption keys are located in the:

• encryptedKey field of RecipientEncryptedKeys.

The Diffie-Hellman (DH) key agreement is defined in [RFC 2631] and SHALL be used in the ephemeral-static variants, as specified in [RFC 3370]. Static-static variants SHALL NOT be used. The DH key agreement algorithm is identified by the following OID: Specific conventions to be considered are specified in Section 4.1 of RFC 3370.

The Elliptic Curve Diffie-Hellman (ECDH) key agreement is defined in [RFC 5753] and SHALL be used in the ephemeral-static variant, as specified in [RFC 5753], or the 1-Pass Elliptic Curve Menezes-Qu-Vanstone (ECMQV) variant, as specified in [RFC 5753]. Static-static variants SHALL NOT be used. The ECDH key agreement algorithm used together with NIST-recommended SECP curves are identified by the following OIDs: As specified in [RFC 5480], the NIST-recommended SECP curves are identified by the following OIDs: Specific conventions to be considered are specified in [RFC 5753]. The ECDH key agreement algorithm used together with curve25519 or curve448 is identified by the following OIDs: Specific conventions to be considered are specified in [RFC 8418].

The key transport algorithm is also referred to as PROT_ENC_ALG in Appendices D and E of [RFC 4210] and as KM_KT_ALG in the [RFC 9483] and Section 7. Key transport algorithms are only used in CMP when using [RFC 5652] EnvelopedData together with the key transport key management technique. Key transport algorithm identifiers are located in the:

• keyEncryptionAlgorithm field of KeyTransRecipientInfo.

Key transport encrypted content-encryption keys are located in the:

• encryptedKey field of KeyTransRecipientInfo.

The RSA key transport algorithm is the RSA encryption scheme defined in [RFC 8017]. The algorithm identifier for RSA (PKCS #1 v1.5) is: The algorithm identifier for RSAES-OAEP is: Further conventions to be considered for PKCS #1 v1.5 are specified in Section 4.2.1 of RFC 3370 and for RSAES-OAEP in [RFC 3560].

The symmetric key-encryption algorithm is also referred to as KM_KW_ALG in Section 7.2 and the [RFC 9483]. As the symmetric key-encryption key management technique is not used by CMP, the symmetric key-encryption algorithm is only needed when using the key agreement or password-based key management technique with [RFC 5652] EnvelopedData. Key wrap algorithm identifiers are located in the:

• parameters field of the KeyEncryptionAlgorithmIdentifier of KeyAgreeRecipientInfo and PasswordRecipientInfo.

Wrapped content-encryption keys are located in the:

• encryptedKey field of RecipientEncryptedKeys (for key agreement) and PasswordRecipientInfo (for password-based key management).

The AES encryption algorithm is defined in [NIST.FIPS.197], and the key wrapping is defined in [RFC 3394]. AES key encryption has the algorithm identifier: The underlying encryption functions for the key wrap and content-encryption algorithms (as specified in Section 5) and the key sizes for the two algorithms MUST be the same (e.g., AES-128 key wrap algorithm with AES-128 content-encryption algorithm); see [RFC 8551]. Further conventions to be considered for AES key wrap are specified in Section 2.2 of RFC 3394 and Section 2.3.2 of RFC 3565.

The key derivation algorithm is also referred to as KM_KD_ALG in Section 7.2 and the [RFC 9483]. Key derivation algorithms are only used in CMP when using [RFC 5652] together with the password-based key management technique. Key derivation algorithm identifiers are located in the:

• keyDerivationAlgorithm field of PasswordRecipientInfo.

When using the password-based key management technique with EnvelopedData as specified in [RFC 9480] together with PKIProtection based on the message authentication code (MAC), the salt for the password-based MAC and key derivation function (KDF) must be chosen independently to ensure usage of independent symmetric keys.

Password-based key derivation function 2 (PBKDF2) is defined in [RFC 8018]. PBKDF2 has the algorithm identifier: Further conventions to be considered for PBKDF2 are specified in Section 4.4.1 of RFC 3370 and Section 5.2 of RFC 8018.

The content-encryption algorithm is also referred to as PROT_SYM_ALG in Appendices D and E of [RFC 4210], in the [RFC 9483], and in Section 7. Content-encryption algorithms are used in CMP when using [RFC 5652] to transport a signed private key package in case of central key generation or key archiving, a certificate to facilitate implicit proof-of-possession, or a revocation passphrase in encrypted form. Content-encryption algorithm identifiers are located in the:

• contentEncryptionAlgorithm field of EncryptedContentInfo.

Encrypted content is located in the:

• encryptedContent field of EncryptedContentInfo.

The AES encryption algorithm is defined in [NIST.FIPS.197]. AES Cipher Block Chaining (AES-CBC) content encryption has the algorithm identifier: Specific conventions to be considered for AES-CBC content encryption are specified in [RFC 3565].

The message authentication code (MAC) is either used for shared secret-based CMP message protection or together with the password-based key derivation function (PBKDF2). The MAC algorithm is also referred to as MSG_MAC_ALG in Section 7, Appendices D and E of [RFC 4210], and the [RFC 9483].

Password-based message authentication code (MAC) algorithms combine the derivation of a symmetric key from a password or other shared secret information and a symmetric key-based MAC function, as specified in Section 6.2, using this derived key. MAC algorithm identifiers are located in the:

• protectionAlg field of PKIHeader.

Message authentication code values are located in the:

• PKIProtection field of PKIMessage.

The PasswordBasedMac algorithm is defined in Section 5.1.3.1 of RFC 4210, Section 4.4 of RFC 4211, and [RFC 9045]. The PasswordBasedMac algorithm is identified by the following OID: Further conventions to be considered for PasswordBasedMac are specified in Section 5.1.3.1 of RFC 4210, Section 4.4 of RFC 4211, and [RFC 9045].

Password-Based Message Authentication Code 1 (PBMAC1) is defined in [RFC 8018]. PBMAC1 combines a password-based key derivation function, like PBKDF2 (Section 4.4.1), with an underlying symmetric key-based message authentication scheme. PBMAC1 has the following OID: Specific conventions to be considered for PBMAC1 are specified in Section 7.1 and Appendix A.5 of [RFC 8018].

Symmetric key-based message authentication code (MAC) algorithms are used for deriving the symmetric encryption key when using PBKDF2, as described in Section 4.4.1, as well as with password-based MAC, as described in Section 6.1. MAC algorithm identifiers are located in the:

• protectionAlg field of PKIHeader,
• messageAuthScheme field of PBMAC1,
• mac field of PBMParameter, and
• prf field of PBKDF2-params.

MAC values are located in the:

• PKIProtection field of PKIMessage.

The HMAC algorithm is defined in [RFC 2104] and [NIST.FIPS.198-1]. The HMAC algorithm used with SHA2 message digest algorithms is identified by the following OIDs: Specific conventions to be considered for SHA2-based HMAC are specified in Section 3.1 of RFC 4231.

The AES-GMAC algorithm is defined in [NIST.FIPS.197] and [NIST.SP.800-38d]. Note: The AES-GMAC MUST NOT be used twice with the same parameter set, especially the same nonce. Therefore, it MUST NOT be used together with PBKDF2. When using it with PBMAC1, it MUST be ensured that the AES-GMAC is only used as a message authentication scheme and not for the key derivation function PBKDF2. The AES-GMAC algorithm is identified by the following OIDs: Specific conventions to be considered for the AES-GMAC are specified in [RFC 9044].

The KMAC algorithm is defined in [RFC 8702] and [NIST.SP.800-185]]. The SHAKE-based KMAC algorithm is identified by the following OIDs: Specific conventions to be considered for KMAC with SHAKE are specified in Section 3.4 of RFC 8702.

This section provides profiles of algorithms and respective conventions for different application use cases. Recommendations like those described in Table 2 of [NIST.SP.800-57pt1r5] and Section 4.6 of [ECRYPT.CSA.D5.4] provide general information on current cryptographic algorithms. The overall cryptographic strength of CMP implementations will depend on several factors, including:

• capabilities of the end entity: What kind of algorithms does the end entity support? The cryptographic strength of the system SHOULD be at least as strong as the algorithms and keys used for the certificate being managed.
• algorithm profile: The overall strength of the profile will be the strength of the weakest algorithm it contains.
• message protection: The overall strength of the CMP message protection.
  • MAC-based protection: The entropy of the shared secret information or password when MAC-based message protection is used (MSG_MAC_ALG).
  • signature-based protection: The strength of the key pair and signature algorithm when signature-based protection is used (MSG_SIG_ALG).
  • protection of centrally generated keys: The strength of the algorithms used for the key management technique (Section 7.1: PROT_ENC_ALG or Section 7.2: KM_KA_ALG, KM_KT_ALG, KM_KD_ALG) and the encryption of the content-encryption key and private key (Section 7.1: SYM_PENC_ALG, PROT_SYM_ALG or Section 7.2: KM_KW_ALG, PROT_SYM_ALG).

The following table shows the algorithms listed in this document sorted by their bits of security. If an implementation intends to enroll and manage certificates for keys of a specific security, it SHALL implement and use algorithms of at least that strength for the respective PKI management operation. If one row does not provide a suitable algorithm, the implementer MUST choose one offering more bits of security. Table 1: Cryptographic Algorithms Sorted by Their Bits of Security The following table shows the cryptographic algorithms sorted by their usage in CMP and with more details. Table 2: Cryptographic Algorithms Sorted by Their Bits of Security and Usage by CMP To avoid consuming too many computational resources, choosing a set of algorithms offering roughly the same level of security is recommended. Below are several algorithm profiles that are balanced, assuming the implementer chooses MAC secrets and/or certificate profiles of at least equivalent strength.

The following table updates the definitions of algorithms used within PKI Management Message Profiles, as defined in Appendix D.2 of RFC 4210. The columns in the table are:

Name:

An identifier used for message profiles

Use:

Description of where and for what the algorithm is used

Mandatory:

Algorithms that MUST be supported by conforming implementations

Optional:

Algorithms that are OPTIONAL to support

Deprecated:

Algorithms from [RFC 4210] that SHOULD NOT be used any more

Table 3: Algorithms Used within Appendix D.2 of RFC 4210 The following are the mandatory algorithm identifiers and specifications:

RSA:

sha256WithRSAEncryption with 2048 bit, see Section 3.1

PasswordBasedMac:

id-PasswordBasedMac, see Section 6.1 (with id-sha256 as the owf parameter, see Section 2.1 and id-hmacWithSHA256 as the mac parameter, see Section 6.2.1)

PBMAC1:

id-PBMAC1, see Section 6.1.2 (with id-PBKDF2 as the key derivation function, see Section 4.4.1 and id-hmacWithSHA256 as the message authentication scheme, see Section 6.2.1). It is RECOMMENDED to prefer the usage of PBMAC1 instead of PasswordBasedMac.

DH:

id-alg-ESDH, see Section 4.1.1

AES-wrap:

id-aes128-wrap, see Section 4.3.1

AES-CBC:

id-aes128-CBC, see Section 5.1

The following table contains definitions of algorithms that MAY be supported by implementations of the [RFC 9483]. As the set of algorithms to be used for implementations of the Lightweight CMP Profile heavily depends on the PKI management operations implemented, the certificates used for message protection, and the certificates to be managed, this document will not specify a specific set that is mandatory to support for conforming implementations. The columns in the table are:

Name:

An identifier used for message profiles

Use:

Description of where and for what the algorithm is used

Examples:

Lists the algorithms, as described in this document. The list of algorithms depends on the set of PKI management operations to be implemented.

Note: It is RECOMMENDED to prefer the usage of PBMAC1 instead of PasswordBasedMac. Table 4: Algorithms Used within the Lightweight CMP Profile

This document has no IANA actions.

This document lists many cryptographic algorithms usable with CMP to offer implementers a more up-to-date choice. Finally, the algorithms to be supported also heavily depend on the certificates and PKI management operations utilized in the target environment. The algorithm with the lowest security strength and the entropy of shared secret information defines the security of the overall solution; see Section 7. When using MAC-based message protection, the use of PBMAC1 is preferable to that of PasswordBasedMac. First, PBMAC1 is a well-known scrutinized algorithm, which is not true for PasswordBasedMac. Second, the PasswordBasedMac algorithm as specified in Section 4.4 of RFC 4211 is essentially PBKDF1 (as defined in Section 5.1 of RFC 8018) with an HMAC step at the end. Here, we update to use the PBKDF2-HMAC construct defined as PBMAC1 in [RFC 8018]. PBKDF2 is superior to PBKDF1 in an improved internal construct for iterated hashing and in removing PBKDF1's limitation of only being able to derive keys up to the size of the underlying hash function. Additionally, PBKDF1 is not recommended for new applications as stated in Section 5.1 of RFC 8018 and is no longer an approved algorithm by most standards bodies. Therefore, it presents difficulties to implementers who are submitting their CMP implementations for certification, hence moving to a PBKDF2-based mechanism. This change is in alignment with [RFC 9045], which updates [RFC 4211] to allow the use of PBMAC1 in CRMF. The AES-GMAC MUST NOT be used as the pseudorandom function (PRF) in PBKDF2; the use of the AES-GMAC more than once with the same key and the same nonce will break the security. In Section 7 of this document, there is also an update to Appendix D.2 of RFC 4210 and a set of algorithms that MAY be supported when implementing the [RFC 9483]. It is recognized that there may be older CMP implementations in use that conform to the algorithm use profile from Appendix D.2 of RFC 4210. For example, the use of AES is now mandatory for PROT_SYM_ALG, while 3-DES was mandatory in [RFC 4210]. Therefore, it is expected that many CMP systems may already support the recommended algorithms in this specification. In such systems, the weakened algorithms should be disabled from further use. If critical systems cannot be immediately updated to conform to the recommended algorithm use profile, it is recommended that a plan to migrate the infrastructure to conforming profiles be adopted as soon as possible. Symmetric key-based MAC algorithms as described in Section 6.2 MAY be used as MSG_MAC_ALG. The implementer MUST choose a suitable PRF and ensure that the key has sufficient entropy to match the overall security level of the algorithm profile. These considerations are outside the scope of the profile.

[NIST.FIPS.180-4]

National Institute of Standards and Technology, Dang, "Secure Hash Standard", NIST Federal Information Processing Standards Publications 180-4, DOI 10.6028/NIST.FIPS.180-4, July 2015,
<https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf>.

[NIST.FIPS.186-5]

National Institute of Standards and Technology (NIST), "Digital Signature Standard (DSS)", FIPS PUB 186-5, DOI 10.6028/NIST.FIPS.186-5, February 2023,
<https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf>.

[NIST.FIPS.197]

National Institute of Standards and Technology (NIST), "Advanced Encryption Standard (AES)", NIST FIPS 197, DOI 10.6028/NIST.FIPS.197, November 2001,
<https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf>.

[NIST.FIPS.198-1]

National Institute of Standards and Technology (NIST), "The Keyed-Hash Message Authentication Code (HMAC)", FIPS PUB 198-1, DOI 10.6028/NIST.FIPS.198-1, July 2008,
<https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.198-1.pdf>.

[NIST.FIPS.202]

National Institute of Standards and Technology, Dworkin, "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions", NIST Federal Information Processing Standards Publications 202, DOI 10.6028/NIST.FIPS.202, July 2015,
<https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf>.

[NIST.SP.800-185]]

National Institute of Standards and Technology, Kelsey, Change, and Perlner, "SHA-3 derived functions: cSHAKE, KMAC, TupleHash and ParallelHash", NIST Special Publications (General) 800-185, DOI 10.6028/NIST.SP.800-185, December 2016,
<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf>.

[NIST.SP.800-38d]

National Institute of Standards and Technology, M J Dworkin, "Recommendation for block cipher modes of operation :GaloisCounter Mode (GCM) and GMAC", NIST Special Publications (General) 800-38d, DOI 10.6028/NIST.SP.800-38d, 2007,
<https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf>.

[RFC2104]

H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>.

[RFC2119]

S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.

[RFC2631]

E. Rescorla, "Diffie-Hellman Key Agreement Method", RFC 2631, DOI 10.17487/RFC2631, June 1999,
<https://www.rfc-editor.org/info/rfc2631>.

[RFC3370]

R. Housley, "Cryptographic Message Syntax (CMS) Algorithms", RFC 3370, DOI 10.17487/RFC3370, August 2002,
<https://www.rfc-editor.org/info/rfc3370>.

[RFC3394]

J. Schaad, and R. Housley, "Advanced Encryption Standard (AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394, September 2002,
<https://www.rfc-editor.org/info/rfc3394>.

[RFC3560]

R. Housley, "Use of the RSAES-OAEP Key Transport Algorithm in Cryptographic Message Syntax (CMS)", RFC 3560, DOI 10.17487/RFC3560, July 2003,
<https://www.rfc-editor.org/info/rfc3560>.

[RFC3565]

J. Schaad, "Use of the Advanced Encryption Standard (AES) Encryption Algorithm in Cryptographic Message Syntax (CMS)", RFC 3565, DOI 10.17487/RFC3565, July 2003,
<https://www.rfc-editor.org/info/rfc3565>.

[RFC4056]

J. Schaad, "Use of the RSASSA-PSS Signature Algorithm in Cryptographic Message Syntax (CMS)", RFC 4056, DOI 10.17487/RFC4056, June 2005,
<https://www.rfc-editor.org/info/rfc4056>.

[RFC4210]

C. Adams, S. Farrell, T. Kause, and T. Mononen, "Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)", RFC 4210, DOI 10.17487/RFC4210, September 2005,
<https://www.rfc-editor.org/info/rfc4210>.

[RFC4211]

J. Schaad, "Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)", RFC 4211, DOI 10.17487/RFC4211, September 2005,
<https://www.rfc-editor.org/info/rfc4211>.

[RFC4231]

M. Nystrom, "Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", RFC 4231, DOI 10.17487/RFC4231, December 2005,
<https://www.rfc-editor.org/info/rfc4231>.

[RFC5480]

S. Turner, D. Brown, K. Yiu, R. Housley, and T. Polk, "Elliptic Curve Cryptography Subject Public Key Information", RFC 5480, DOI 10.17487/RFC5480, March 2009,
<https://www.rfc-editor.org/info/rfc5480>.

[RFC5652]

R. Housley, "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, DOI 10.17487/RFC5652, September 2009,
<https://www.rfc-editor.org/info/rfc5652>.

[RFC5753]

S. Turner, and D. Brown, "Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)", RFC 5753, DOI 10.17487/RFC5753, January 2010,
<https://www.rfc-editor.org/info/rfc5753>.

[RFC5754]

S. Turner, "Using SHA2 Algorithms with Cryptographic Message Syntax", RFC 5754, DOI 10.17487/RFC5754, January 2010,
<https://www.rfc-editor.org/info/rfc5754>.

[RFC8017]

K. Moriarty, B. Kaliski, J. Jonsson, and A. Rusch, "PKCS #1: RSA Cryptography Specifications Version 2.2", RFC 8017, DOI 10.17487/RFC8017, November 2016,
<https://www.rfc-editor.org/info/rfc8017>.

[RFC8018]

K. Moriarty, B. Kaliski, and A. Rusch, "PKCS #5: Password-Based Cryptography Specification Version 2.1", RFC 8018, DOI 10.17487/RFC8018, January 2017,
<https://www.rfc-editor.org/info/rfc8018>.

[RFC8032]

S. Josefsson, and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017,
<https://www.rfc-editor.org/info/rfc8032>.

[RFC8174]

B. Leiba, "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017,
<https://www.rfc-editor.org/info/rfc8174>.

[RFC8418]

R. Housley, "Use of the Elliptic Curve Diffie-Hellman Key Agreement Algorithm with X25519 and X448 in the Cryptographic Message Syntax (CMS)", RFC 8418, DOI 10.17487/RFC8418, August 2018,
<https://www.rfc-editor.org/info/rfc8418>.

[RFC8419]

R. Housley, "Use of Edwards-Curve Digital Signature Algorithm (EdDSA) Signatures in the Cryptographic Message Syntax (CMS)", RFC 8419, DOI 10.17487/RFC8419, August 2018,
<https://www.rfc-editor.org/info/rfc8419>.

[RFC8551]

J. Schaad, B. Ramsdell, and S. Turner, "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification", RFC 8551, DOI 10.17487/RFC8551, April 2019,
<https://www.rfc-editor.org/info/rfc8551>.

[RFC8692]

P. Kampanakis, and Q. Dang, "Internet X.509 Public Key Infrastructure: Additional Algorithm Identifiers for RSASSA-PSS and ECDSA Using SHAKEs", RFC 8692, DOI 10.17487/RFC8692, December 2019,
<https://www.rfc-editor.org/info/rfc8692>.

[RFC8702]

P. Kampanakis, and Q. Dang, "Use of the SHAKE One-Way Hash Functions in the Cryptographic Message Syntax (CMS)", RFC 8702, DOI 10.17487/RFC8702, January 2020,
<https://www.rfc-editor.org/info/rfc8702>.

[RFC9044]

R. Housley, "Using the AES-GMAC Algorithm with the Cryptographic Message Syntax (CMS)", RFC 9044, DOI 10.17487/RFC9044, June 2021,
<https://www.rfc-editor.org/info/rfc9044>.

[RFC9045]

R. Housley, "Algorithm Requirements Update to the Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)", RFC 9045, DOI 10.17487/RFC9045, June 2021,
<https://www.rfc-editor.org/info/rfc9045>.

[RFC9480]

H Brockhaus, D von Oheimb, and J Gray, "Certificate Management Protocol (CMP) Updates", RFC 9480, DOI 10.17487/RFC9480, November 2023,
<https://www.rfc-editor.org/info/rfc9480>.

[RFC9483]

H Brockhaus, D von Oheimb, and S Fries, "Lightweight Certificate Management Protocol (CMP) Profile", RFC 9483, DOI 10.17487/RFC9483, November 2023,
<https://www.rfc-editor.org/info/rfc9483>.

[ECRYPT.CSA.D5.4]

University of Bristol, "Algorithms, Key Size and Protocols Report (2018)", March 2015,
<https://www.ecrypt.eu.org/csa/documents/D5.4-FinalAlgKeySizeProt.pdf>.

[NIST.SP.800-57pt1r5]

National Institute of Standards and Technology, Barker, "Recommendation for key management:part 1 - general", NIST Special Publications (General) 800-57pt1r5, DOI 10.6028/NIST.SP.800-57pt1r5, May 2020,
<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf>.

Thanks to Russ Housley for his work on [RFC 9044] and [RFC 9045] upon which this RFC relies heavily. May thanks also to all reviewers like Serge Mister, Mark Ferreira, Yuefei Lu, Tomas Gustavsson, Lijun Liao, David von Oheimb, and Steffen Fries for their input and feedback to this document. Apologies to all not mentioned reviewers and supporters.

Hendrik Brockhaus

Hans Aschauer

Mike Ounsworth

John Gray