Protocol Action: 'Enrollment over Secure Transport' to Proposed Standard (draft-ietf-pkix-est-09.txt)

The IESG <> Thu, 15 August 2013 18:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1BB3D11E81DA; Thu, 15 Aug 2013 11:18:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.497
X-Spam-Status: No, score=-102.497 tagged_above=-999 required=5 tests=[AWL=0.103, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1jf7FdClJuz4; Thu, 15 Aug 2013 11:18:46 -0700 (PDT)
Received: from (localhost [IPv6:::1]) by (Postfix) with ESMTP id 14B2911E8213; Thu, 15 Aug 2013 11:18:45 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: The IESG <>
To: IETF-Announce <>
Subject: Protocol Action: 'Enrollment over Secure Transport' to Proposed Standard (draft-ietf-pkix-est-09.txt)
X-Test-IDTracker: no
X-IETF-IDTracker: 4.70.p1
Message-ID: <>
Date: Thu, 15 Aug 2013 11:18:45 -0700
Cc: pkix mailing list <>, pkix chair <>, RFC Editor <>
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IETF announcement list. No discussions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 15 Aug 2013 18:18:47 -0000

The IESG has approved the following document:
- 'Enrollment over Secure Transport'
  (draft-ietf-pkix-est-09.txt) as Proposed Standard

This document is the product of the Public-Key Infrastructure (X.509)
Working Group.

The IESG contact persons are Sean Turner and Stephen Farrell.

A URL of this Internet Draft is:

Technical Summary

This document profiles certificate enrollment for clients using CMC (RFC
5272) defined ³simple² PKI messages over a secure transport. In addition
to supporting certificate enrollment and renewal functions, EST also
provides a means to obtain copies of a Certificate Authority¹s
certificates, have a public key pair generated on behalf of the client,
and query the EST server on the attributes required in a certificate
request.  Where this reduced set of management functionality is
inadequate, EST also allows the conveyance of full CMC (RFC 5272)
messages.  EST is designed to be a standards-track profile of CMC
appropriate for solutions currently leveraging the widely implemented
but never fully standardized Simple Certificate Enrollment Protocol
(SCEP).  It improves on that protocol by supporting a wider range of
algorithms as well as using TLS for added authentication, encryption,
and data integrity and aligning with existing CMC.

Working Group Summary

This draft is a product of the PKIX WG. It has gone through several
revisions within the WG, incorporating input from several major reviews
by Steve Kent and Russ Housley as well as reviews from outside sources.
  The draft has not elicited much in the way of controversy, reflecting
only specialized interest in certificate enrollment protocols.

Document Quality

The document does require a fair bit of background in X.509, ASN.1, and
the re-used technologies in order to understand and implement the
protocol.  However, implementations have been created by two of the
authors and one non-author implementor using disparate code bases.
Members of the Wi-Fi Alliance (WFA) have also implemented EST as part of
the WFA¹s Hotspot 2.0 efforts.  Thus it is believed that EST
implementations can be created from its specification.


Stefan Santesson (stefan at is the document shepherd.
Sean Turner (turners at is the responsible Area Director.