RFC 4210, "Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)", September 2005Source of RFC: pkix (sec)
Errata ID: 5731
Status: Held for Document Update
Publication Format(s) : TEXT
Reported By: Lijun Liao
Date Reported: 2019-05-22
Held for Document Update by: Roman Danyliw
Date Held: 2022-04-27
Throughout the document, when it says:
It should say:
In appendixes D.4, D.5, E.5 and E.6, the recipient field of requests and the sender field of responses are specified as "the name of the CA". It is no problem for CA which signs the CMP response.
However, as best practice, the CA's private key which is used to sign the certificates, is NOT RECOMMENDED to sign/decrypt the communication messages. In this case, another entity (private key + certificate) is used to decrypt the incoming messages and sign the outgoing ones.
The text and comment for the fields "recipient" in requests and "sender" in responses need to be corrected to the case described above. If you think the original text and comment are correct, then we need instruction on how to handle this case.