5.1 Security Considerations for Implementers

The Health Certificate Enrollment Protocol does not ensure the authenticity of the statement of health (SoH) that is sent to the HRA. The implementation needs to use secure algorithms and methods to ensure the security of the SoH.

The health state of the machine sending the HCEP request can contain sensitive information. Therefore, it is recommended that implementers ensure that the choice of transport for Health Certificate Enrollment Protocol messages is appropriate. For example, using HTTP over TLS (as specified in [RFC2818]) to authenticate the server and to provide confidentiality and integrity is better than using HTTP alone for Health Certificate Enrollment Protocol messages.

When the HCEA is authenticated by using Kerberos-based HTTP authentication (as specified in [RFC4559]), it allows the HRA to validate data that is present in the certificate request. It is recommended that HRA not impersonate the client and HRA only identify the client using this authentication method. Otherwise, if the HRA is compromised, it can potentially allow attackers to impersonate clients.