2.2.2.2 HTTP Message Header Fields Introduced by HCEP

The HTTP message headers in the HCEP response MUST include the following Tokens.

Tokens

HCEP-Version: MUST be a string with value "1.0".

HCEP-Correlation-Id: This MUST be a Correlation Id that is base64-encoded (as specified in [RFC3548] section 3). A Correlation Id (as specified in [TNC-IF-TNCCSPBSoH] section 3.8.6) is a 24-byte value that uniquely identifies a Health Certificate Enrollment Protocol transaction originating from the HCEA. It SHOULD<13> be the same as the Correlation Id that is present in SoH, as specified in [TNC-IF-TNCCSPBSoH] section 3.8.

HCEP-SoHR: MUST be the base64-encoded statement of health response (SoHR), as specified in [TNC-IF-TNCCSPBSoH] section 3.6.

The SoHR is the result of the validation of the SoH, as specified in [TNC-IF-TNCCSPBSoH] section 3.5, received by the HRA from the HCEP request. It is an opaque sequence of bytes that is not interpreted or used directly by the Health Certificate Enrollment Protocol.

HCEP-AFW-Protection-Level: MUST be a string that is specified as follows:

This value MUST be sent back from the HRA in an HCEP response. Valid values for this field MUST be:

• "1" to indicate that the certificate payload in the HCEP response can be used for signing data.

• "2" to indicate that the certificate payload in the HCEP response can be used for signing and encrypting data.

HCEP-AFW-Zone: MUST be a string specified as follows:

This field MUST be sent back from the HRA in an HCEP response. Valid values for this field MUST be the ASCII (as specified in [RFC20]) representation of the decimal form of integers from zero to 2^32 -1 inclusive. This is used as a hint for dynamic selection of a preconfigured policy by the consumer of the health certificate on the client.<14>

The header MAY<15> contain other fields besides those listed here. All other fields SHOULD be ignored by the Health Certificate Enrollment Protocol client.