The IESG has approved the following document: - 'Enrollment over Secure Transport' (draft-ietf-pkix-est-09.txt) as Proposed Standard This document is the product of the Public-Key Infrastructure (X.509) Working Group. The IESG contact persons are Sean Turner and Stephen Farrell. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-pkix-est/ Technical Summary This document profiles certificate enrollment for clients using CMC (RFC 5272) defined ³simple² PKI messages over a secure transport. In addition to supporting certificate enrollment and renewal functions, EST also provides a means to obtain copies of a Certificate Authority¹s certificates, have a public key pair generated on behalf of the client, and query the EST server on the attributes required in a certificate request. Where this reduced set of management functionality is inadequate, EST also allows the conveyance of full CMC (RFC 5272) messages. EST is designed to be a standards-track profile of CMC appropriate for solutions currently leveraging the widely implemented but never fully standardized Simple Certificate Enrollment Protocol (SCEP). It improves on that protocol by supporting a wider range of algorithms as well as using TLS for added authentication, encryption, and data integrity and aligning with existing CMC. Working Group Summary This draft is a product of the PKIX WG. It has gone through several revisions within the WG, incorporating input from several major reviews by Steve Kent and Russ Housley as well as reviews from outside sources. The draft has not elicited much in the way of controversy, reflecting only specialized interest in certificate enrollment protocols. Document Quality The document does require a fair bit of background in X.509, ASN.1, and the re-used technologies in order to understand and implement the protocol. However, implementations have been created by two of the authors and one non-author implementor using disparate code bases. Members of the Wi-Fi Alliance (WFA) have also implemented EST as part of the WFA¹s Hotspot 2.0 efforts. Thus it is believed that EST implementations can be created from its specification. Personnel Stefan Santesson (stefan at aaa-sec.com) is the document shepherd. Sean Turner (turners at ieca.com) is the responsible Area Director.