Unprotected CMP error messages

[eerotuu]

Hi,

according to EJBCA documentation

If a CMP request fails, EJBCA returns an unprotected, unencrypted CMP error message.

Was just wondering what is the reason why this violates rfc4210#section-5.3.21

The CA MUST always sign it with a signature key.

Or is there a configuration to protect CMP error messages?

Thanks

[primetomas]

That section in RFC4210 is not really thought through imho. EJBCA signs some error messages, but not all.
Since EJBCA is multi-tennant, signing error messages when it's not even possible to identify the tennant does not make sense. It also exposes signing keys for unessecary risk, i.e. chosen plaintext attacks, or just very simple DDoS attacks if it's very simple to cause signings to be done by just sending crap to the http endpoint.
So you will find that some error messages is actually signed, when it has reached a little further and the response signing keys are actually identified. It's a bit of a balance there, in practice our approach has worked well for tons of use cases and different clients.