{"draft":"draft-ietf-lamps-rfc7030-csrattrs-23","doc_id":"RFC9908","title":"Clarification and Enhancement of the CSR Attributes Definition in RFC 7030","authors":["M. Richardson, Ed.","O. Friel","D. von Oheimb","D. Harkins"],"format":["HTML","TEXT","PDF","XML"],"page_count":"22","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"Limited Additional Mechanisms for PKIX and SMIME","abstract":"This document updates RFC 7030, \"Enrollment over Secure Transport\"\r\n(EST), clarifying how the Certificate Signing Request (CSR)\r\nAttributes Response can be used by an EST server to specify both CSR\r\nattribute Object Identifiers (OIDs) and CSR attribute values,\r\nparticularly X.509 extension values, that the server expects the\r\nclient to include in a subsequent CSR request. RFC 9148 is derived\r\nfrom RFC 7030 and is also updated.\r\n\r\nRFC 7030 is ambiguous in its specification of the CSR Attributes\r\nResponse. This has resulted in implementation challenges and\r\nimplementor confusion because there was no universal understanding of\r\nwhat was specified. This document clarifies the encoding rules.\r\n\r\nThis document also provides a new straightforward approach: using a\r\ntemplate for CSR contents that may be partially filled in by the\r\nserver. This also allows an EST server to specify a subject\r\nDistinguished Name (DN).","pub_date":"January 2026","keywords":["SubjectAltName","SAN","Certificate Extensions","Certificate Signing Request"],"obsoletes":[],"obsoleted_by":[],"updates":["RFC7030","RFC9148"],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC9908","errata_url":null}