Introducing CAKeyUpdContent to ease backward compatibility

draft-ietf-lamps-rfc4210bis.md

@@ -309,7 +309,7 @@ This document obsoletes {{RFC4210}} and {{RFC9480}}. It includes the changes spe
 
 * Added support for KEM keys for proof-of-possession to {{sect-4.3}} and {{sect-5.2.8}}, for message protection to {{sect-5.1.1}}, {{sect-5.1.3.4}}, and {{sect-e}}, and for usage with CMS EnvelopedData to {{sect-5.2.2}}.
 
-* Deprecated CAKeyUpdAnnContent and ckuann in favor of RootCaKeyUpdateContent and ckuannV3
+* Deprecated CAKeyUpdAnnContent in favor of RootCaKeyUpdateContent.
 
 * Incorporated the request message behavioral clarifications from Appendix
   C of {{RFC4210}} to {{sect-5}}. The definition of altCertTemplate was incorporated into {{sect-5.2.1}} and the clarification on POPOSigningKey and on POPOPrivKey was incorporated into {{sect-5.2.8}}.
@@ -1137,7 +1137,7 @@ To change the key of the CA, the CA operator does the following:
   the new private key (the "new with new" certificate);
 
 1. Publish these new certificates via the repository and/or other
-  means (perhaps using a CAKeyUpdAnn message or RootCaKeyUpdateContent);
+  means (perhaps using a ckuann message or RootCaKeyUpdateContent);
 
 1. Export the new CA public key so that end entities may acquire it
   using the "out-of-band" mechanism (if required).
@@ -1635,8 +1635,7 @@ For more details of KEM-based message protection see {{sect-5.1.3.4}}. See {{sec
      rp       [12] RevRepContent,          --Revocation Response
      ccr      [13] CertReqMessages,        --Cross-Cert.  Request
      ccp      [14] CertRepMessage,         --Cross-Cert.  Resp
-     ckuann   [15] CAKeyUpdAnnContent,     --CA Key Update Ann.,
-                                           -- deprecated with cmp2021
+     ckuann   [15] CAKeyUpdContent,        --CA Key Update Ann.
      cann     [16] CertAnnContent,         --Certificate Ann.
      rann     [17] RevAnnContent,          --Revocation Ann.
      crlann   [18] CRLAnnContent,          --CRL Announcement
@@ -1648,7 +1647,6 @@ For more details of KEM-based message protection see {{sect-5.1.3.4}}. See {{sec
      certConf [24] CertConfirmContent,     --Certificate Confirm
      pollReq  [25] PollReqContent,         --Polling Request
      pollRep  [26] PollRepContent          --Polling Response
-     ckuannV3 [27] RootCaKeyUpdateContent, --CA Key Update Ann.
   }
 ~~~~
 
@@ -2687,11 +2685,16 @@ be used to announce this event.
      newWithOld          [0] CMPCertificate OPTIONAL,
      oldWithNew          [1] CMPCertificate OPTIONAL
   }
+
+CAKeyUpdContent ::= CHOICE {
+    cAKeyUpdAnnV2      CAKeyUpdAnnContent, -- deprecated
+    cAKeyUpdAnnV3  [0] RootCaKeyUpdateContent
+}
 ~~~~
 
-To indicate support for ckuannV3 with RootCaKeyUpdateContent in an announcement message, the pvno cmp2021 MUST be used. Details on the usage of the protocol version number (pvno) are described in Section 7.
+To indicate support for ckuann with RootCaKeyUpdateContent in the ckuann message, the pvno cmp2021 MUST be used. Details on the usage of the protocol version number (pvno) are described in Section 7.
 
-In contrast to ckuann message using CAKeyUpdAnnContent as supported with cmp2000, ckuannV3 using RootCaKeyUpdateContent offers omitting newWithOld and oldWithNew, depending on the needs of the EE.
+In contrast to CAKeyUpdAnnContent as supported with cmp2000, RootCaKeyUpdateContent offers omitting newWithOld and oldWithNew, depending on the needs of the EE.
 
 ### Certificate Announcement
 {: id="sect-5.3.14"}
@@ -3007,7 +3010,7 @@ This MAY be used by the client to get CA certificates.
 
 This MAY be used by the client to get an update of a root CA certificate,
 which is provided in the body of the request message.  In contrast to the
-ckuannV3 message, this approach follows the request/response model.
+ckuann message, this approach follows the request/response model.
 
 The EE SHOULD reference its current trust anchor in RootCaCertValue
 in the request body, giving the root CA certificate if available.
@@ -3648,7 +3651,7 @@ is needed for the request being sent or for the expected response.
 Note: Using cmp2000 as the default pvno is done to avoid extra message exchanges
 for version negotiation and to foster compatibility with cmp2000 implementations.
 Version cmp2021 syntax is only needed if a message exchange uses hashAlg
-(in CertStatus), EnvelopedData, or RootCaKeyUpdateContent.
+(in CertStatus), EnvelopedData, or ckuann with RootCaKeyUpdateContent.
 
 If a server receives a message with a version that it supports, then
 the version of the response message MUST be the same as the received
@@ -4613,13 +4616,13 @@ announcement message that can be made available (via some transport
 mechanism) to the relevant end entities.  A confirmation message is
 not required from the end entities.
 
-ckuannV3 message:
+ckuann message:
 
 ~~~~
  Field        Value                        Comment
 --------------------------------------------------------------
  sender       CA name CA name
- body         ckuannV3(RootCaKeyUpdateContent)
+ body         ckuann(RootCaKeyUpdateContent)
  newWithNew   present                  see Appendix D.3 above
  newWithOld   optionally present       see Appendix D.3 above
  oldWithNew   optionally present       see Appendix D.3 above
@@ -4705,9 +4708,11 @@ PreferredSymmAlg     present (object identifier one
                      value
   -- the symmetric algorithm that this CA expects to be used
   -- in later PKI messages (for encryption)
-CAKeyUpdateInfo      optionally present, with
+RootCaKeyUpdate      optionally present, with
                      relevant value
-  -- the CA MAY provide information about a relevant root CA
+  -- Use RootCaKeyUpdate; if backward compatibility with cmp2000 is
+  -- required, use CAKeyUpdateInfo.
+  -- The CA MAY provide information about a relevant root CA
   -- key pair using this field (note that this does not imply
   -- that the responding CA is the root CA in question)
 CurrentCRL           optionally present, with relevant value
@@ -5229,8 +5234,7 @@ PKIBody ::= CHOICE {       -- message-specific body elements
     rp       [12] RevRepContent,          --Revocation Response
     ccr      [13] CertReqMessages,        --Cross-Cert. Request
     ccp      [14] CertRepMessage,         --Cross-Cert. Response
-    ckuann   [15] CAKeyUpdAnnContent,     --CA Key Update Ann.,
-                                          -- deprecated with cmp2021
+    ckuann   [15] CAKeyUpdContent,        --CA Key Update Ann.
     cann     [16] CertAnnContent,         --Certificate Ann.
     rann     [17] RevAnnContent,          --Revocation Ann.
     crlann   [18] CRLAnnContent,          --CRL Announcement
@@ -5242,10 +5246,6 @@ PKIBody ::= CHOICE {       -- message-specific body elements
     certConf [24] CertConfirmContent,     --Certificate Confirm
     pollReq  [25] PollReqContent,         --Polling Request
     pollRep  [26] PollRepContent          --Polling Response
-    ckuannV3 [27] RootCaKeyUpdateContent, --CA Key Update Ann. CMP V3
-    -- Use cmp2021 with ckuannV3; if backward compatibility with
-    -- cmp2000 is required, use ckuann, see Section 5.2.2
-
 }
 
 PKIProtection ::= BIT STRING
@@ -5527,6 +5527,12 @@ CAKeyUpdAnnContent ::= SEQUENCE {
     newWithOld   CMPCertificate, -- new pub signed with old priv
     newWithNew   CMPCertificate  -- new pub signed with new priv
 }
+
+-- CAKeyUpdContent was added in [RFCXXXX]
+CAKeyUpdContent ::= CHOICE {
+    cAKeyUpdAnnV2      CAKeyUpdAnnContent, -- deprecated
+    cAKeyUpdAnnV3  [0] RootCaKeyUpdateContent
+}
 -- With cmp2021 the use of CAKeyUpdAnnContent is deprecated , use
 -- RootCaKeyUpdateContent instead.
 
@@ -5660,6 +5666,7 @@ SupportedInfoSet INFO-TYPE-AND-VALUE ::= { ... }
 --      PreferredSymmAlgValue   ::= AlgorithmIdentifier{{...}}
 --   id-it-caKeyUpdateInfo  OBJECT IDENTIFIER ::= {id-it 5}
 --      CAKeyUpdateInfoValue    ::= CAKeyUpdAnnContent
+--      - id-it-caKeyUpdateInfo was deprecated with cmp2021
 --   id-it-currentCRL       OBJECT IDENTIFIER ::= {id-it 6}
 --      CurrentCRLValue         ::= CertificateList
 --   id-it-unsupportedOIDs  OBJECT IDENTIFIER ::= {id-it 7}
@@ -5794,7 +5801,7 @@ Note: This appendix will be deleted in the final version of the document.
 
 From version 08 -> 09:
 
-* Deprecated CAKeyUpdAnnContent and ckuann in favor of RootCaKeyUpdateContent and ckuannV3 in CMP V3 as proposed by Tomas
+* Deprecated CAKeyUpdAnnContent in favor of RootCaKeyUpdateContent in CMP V3 as proposed by Tomas
 
 * Deleted an obsolete sentence in Section 8.8