IETF, in similar fashion to the original protocols. Many are found by read-
ing through the list of documents that reference the respective protocol.
The number of extensions for CMP is relatively low, compared to the
other two protocols. In 2012, the IETF published the aforementioned
HTTP transfer document that specifies how to layer CMP over HTTP [7].
This extension came seven years after initial publication of the CMP stan-
dard. Currently, a working group from the IETF is developing a set of up-
dates for CMP [22]. The updates allow implementers to more easily use
alternative cryptographic algorithms in the future, in case current options
are proven insecure. In addition, the updates include the introduction of
extended key usages to identify CMP endpoints on CA and RA. While
CMP has few extensions, it has many profiles of its specification. The
CMP standard is meant to be comprehensive. Thus instead of extending
the specification when additional functionality is required, an implement-
ing party may profile CMP for their more specific use case.
The first update to EST defines new CSR attributes [23]. These at-
tributes provide alternatives to the challengePassword attribute. Imple-
menters often interpreted the challengePassword’s semantics differently,
which caused ambiguity between implementations. The update affects
the original certificate revocation password, common authentication pass-
words, and EST-defined linking of transport security identity. In 2018, the
IETF published a new set of extensions for EST [24]. The document de-
fines additional PKI services as path components for EST. Among these is
the Package Availability List (PAL). The PAL is a resource provided by the
server, indexing the actions made available to a client. With the PAL, the
server is able to dynamically communicate the list of available actions to
a client. For example, the PAL might contain a package which indicates
that a new CRL is available for the client by pointing to an applicable
URI. Currently, an IETF working group is developing a new transport for
EST messages [25]. The EST protocol originally specified transport over
HTTP, in which the messages can become relatively large. To support
EST on resource constrained devices, this document defines EST trans-
port based on the Constrained Application Protocol (CoAP) rather than
on HTTP. In addition, the document profiles the use of EST to solely sup-
port certificate-based client authentication.
Multiple standardized extensions for ACME already exist and several
others are in progress. A recently published extension provides a new
challenge for ACME that enables domain control validation using TLS